Miggo Logo
Miggo Vulnerability Database
CVE-2020-28434

CVE-2020-28434: gitblame susceptible to command injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28434
GHSA ID
GHSA-3486-rvxc-hrrj
EPSS Score
0.25756%
CWE
CWE-77
Published
8/3/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gitblamenpm<= 0.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly located in line 15 of lib/gitblame.js where 'exec('git blame ' + filename)' is called. The code directly interpolates user-controlled filename input into a system command without proper sanitization or parameterization. This matches the CWE-77 command injection pattern where untrusted data flows into command execution contexts. The provided PoC demonstrates exploitability by passing '& touch JHU' as input to trigger arbitrary command execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility *****ts *ll v*rsions o* p**k*** *it*l*m*. T** inj**tion point is lo**t** in lin* ** in li*/*it*l*m*.js.

Reasoning

T** vuln*r**ility is *xpli*itly lo**t** in lin* ** o* `li*/*it*l*m*.js` w**r* '*x**('*it *l*m* ' + `*il*n*m*`)' is **ll**. T** *o** *ir**tly int*rpol*t*s us*r-*ontroll** `*il*n*m*` input into * syst*m *omm*n* wit*out prop*r s*nitiz*tion or p*r*m*t*ri