Miggo Logo

CVE-2021-32673: Remote Command Execution in reg-keygen-git-hash-plugin

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.81939%
Published
6/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
reg-keygen-git-hash-pluginnpm< 0.10.160.10.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit f84ad9c introduced shell-escape to sanitize git command arguments, indicating previous vulnerable command construction patterns. All modified functions used unsanitized template string interpolation (${hash}, ${a}, ${b}) in child_process.execSync calls, making them susceptible to command injection. The CWE-78 classification confirms improper neutralization of OS command special elements. High confidence comes from the explicit addition of argument escaping in the patch and the vulnerability's CVSS score of 8.8.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `r**-k*y**n-*it-**s*-plu*in` t*rou** *.**.** *llow r*mot* *tt**k*rs to *x**ut* o* *r*itr*ry *omm*n*s. ### P*t***s Up*r*** to v*rsion *.**.** or l*t*r. ### *or mor* in*orm*tion I* you **v* *ny qu*stions or *omm*nts **out t*is **visory:

Reasoning

T** *ommit ******* intro*u*** s**ll-*s**p* to s*nitiz* *it *omm*n* *r*um*nts, in*i**tin* pr*vious vuln*r**l* *omm*n* *onstru*tion p*tt*rns. *ll mo*i*i** *un*tions us** uns*nitiz** t*mpl*t* strin* int*rpol*tion (${**s*}, ${*}, ${*}) in `**il*_pro**ss.