CVE-2019-10802: OS Command Injection in giting
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.6975%
CWE
Published
4/13/2021
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
giting | npm | <= 0.0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly states the first argument 'repo' of pull()
is vulnerable. The commit diff shows the fix added encodeURIComponent(repo.branch)
in three locations (fetch/checkout/pull), but the primary vulnerable entry point is pull()
as referenced in all advisories. The function directly interpolates repo.branch
into a child.exec
command without validation, making it susceptible to command injection when attacker-controlled values are passed to the branch property of the repo
object.