[GHSA-qwrq-vxvw-537r] git-shallow-clone OS Command Injection vulnerability

[DSimsek000]

Updates

• Affected products
• CVSS v3
• CVSS v4
• CWEs
• Description
• Severity
• Summary

Comments
Note that the module does not pass user input to the shell. That means that there is no command injection and the current CWE is wrong. While there exists a way to control some part of the arguments, it does not create a scenario that can be exploited by a remote attacker. The correct category would be Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88).

[JonathanLEvans]

Hi @DSimsek000, thank you for your contribution. We used CWE-78 because Snyk included CWE-78 in the CVE record they published. To get the issue resolved for everyone, you need to email Snyk at [email protected].

That being said, you seem to be saying the vulnerability is caused by git-shallos-clone allowing dangerous git options such as upload-pack in the clone path, similar to GHSA-8jmw-wjr8-2x66. Is that correct?

[DSimsek000]

Hi, thanks for pointing that out. The vulnerabilities are indeed similar. Since CWE-78 seems to refer to shell injection, I think CWE-88 might be more appropriate here (even if it can lead to arbitrary code execution). I will email them.

[DSimsek000]

Hi @JonathanLEvans, Snyk updated their CWE and title for SNYK-JS-GITSHALLOWCLONE-3253853.

[advisory-database]

Hi @DSimsek000! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!