CVE-2015-4130: Command Injection in ungit
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
8/31/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
vuln_not_found
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ungit | npm | <= 0.8.4 | 0.9.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper neutralization of the 'url' parameter when constructing git commands. The GitHub issue example shows user input being directly concatenated into a shell command (git remote add [url]), enabling arbitrary command execution via shell operators. This matches the CWE-77 pattern where user input flows into command execution contexts without proper sanitization. The core git command execution handler in ungit's codebase (likely in a file like src/git-api.js
) would be responsible for this vulnerable pattern.