Miggo Logo

CVE-2018-3785: Command Injection in git-dummy-commit

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.87234%
Published
8/21/2018
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
git-dummy-commitnpm<= 1.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of parameters used in OS commands (CWE-78). Given the package's purpose of creating git commits, the core function that builds and executes git commands would handle user-provided commit messages. Without proper input sanitization or use of safe execution methods (like execFile with separate arguments), passing unsanitized input to child_process.exec would make command injection possible. The description explicitly mentions 'unescaped parameter' as the root cause, strongly indicating insecure command construction in the commit creation function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion in *it-*ummy-*ommit v*.*.* *llows os l*v*l *omm*n*s to ** *x**ut** *u* to *n un*s**p** p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* p*r*m*t*rs us** in OS *omm*n*s (*W*-**). *iv*n t** p**k***'s purpos* o* *r**tin* *it *ommits, t** *or* *un*tion t**t *uil*s *n* *x**ut*s *it *omm*n*s woul* **n*l* us*r-provi*** *ommit m*ss***s.