Miggo Logo

CVE-2015-4130: Command Injection in ungit

N/A

CVSS Score

Basic Information

EPSS Score
-
Published
8/31/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
vuln_not_found
Package NameEcosystemVulnerable VersionsFirst Patched Version
ungitnpm<= 0.8.40.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of the 'url' parameter when constructing git commands. The GitHub issue example shows user input being directly concatenated into a shell command (git remote add [url]), enabling arbitrary command execution via shell operators. This matches the CWE-77 pattern where user input flows into command execution contexts without proper sanitization. The core git command execution handler in ungit's codebase (likely in a file like src/git-api.js) would be responsible for this vulnerable pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `un*it` prior to *.*.* *r* *****t** *y * *omm*n* inj**tion vuln*r**ility in t** `url` p*r*m*t*r. ## R**omm*n**tion Up**t* v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* t** 'url' p*r*m*t*r w**n *onstru*tin* *it *omm*n*s. T** *it*u* issu* *x*mpl* s*ows us*r input **in* *ir**tly *on**t*n*t** into * s**ll *omm*n* (*it r*mot* *** [url]), *n**lin* *r*itr*ry *omm*n*