Miggo Logo
Miggo Vulnerability Database
CVE-2021-3028

CVE-2021-3028:
git-big-picture Code Execution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3028
GHSA ID
GHSA-x38j-4rr5-hqrj
EPSS Score
0.76581%
CWE
CWE-20
Published
5/24/2022
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
git-big-picturepip< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation when processing branch names containing single quotes. The patch in PR#62 added --python flag to git for-each-ref to get properly escaped output, indicating the original implementation lacked this safety measure. The get_refs function would have parsed unescaped branch names using eval() or similar methods, creating an injection vector. This matches CWE-20 (Improper Input Validation) and explains the code execution vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*it-*i*-pi*tur* ***or* *.*.* mis**n*l*s `'` ***r**t*rs in * *r*n** n*m*, l***in* to *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion w**n pro**ssin* *r*n** n*m*s *ont*inin* sin*l* quot*s. T** p*t** in PR#** ***** `--pyt*on` *l** to `*it *or-****-r**` to **t prop*rly *s**p** output, in*i**tin* t** ori*in*l impl*m*nt*tion l**k**