Miggo Logo

CVE-2021-26541: Command injection in gitlog

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.92636%
Published
4/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gitlognpm< 4.0.44.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by replacing exec/execSync with execFile/execFileSync which properly handle arguments. The original functions constructed command strings by concatenating user inputs without proper sanitization, allowing shell metacharacter injection. The commit diff shows direct replacement of these functions as the fix mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *itlo* *un*tion in sr*/in**x.ts in *itlo* ***or* *.*.* **s * *omm*n* inj**tion vuln*r**ility.

Reasoning

T** vuln*r**ility w*s p*t**** *y r*pl**in* `*x**`/`*x**Syn*` wit* `*x***il*`/`*x***il*Syn*` w*i** prop*rly **n*l* *r*um*nts. T** ori*in*l *un*tions *onstru*t** *omm*n* strin*s *y *on**t*n*tin* us*r inputs wit*out prop*r s*nitiz*tion, *llowin* s**ll m