Miggo Logo
Miggo Vulnerability Database
CVE-2021-34081

CVE-2021-34081: OS Command Injection in gitsome

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-34081
GHSA ID
GHSA-9v73-x562-wv5x
EPSS Score
0.90436%
CWE
CWE-78
Published
6/3/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gitsomenpm<= 0.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly involves crafted tag names enabling OS command injection. This implies: 1) The package interacts with git CLI to process tags 2) Tag names are used unsafely in command construction 3) Node.js child_process methods (exec/execSync) without proper sanitization are likely involved. While exact code isn't available, the version calculation functionality (gs.version()) that processes git tags would be the logical injection point. The high confidence comes from the direct match between the vulnerability description and common OS command injection patterns in git interaction code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

OS *omm*n* Inj**tion vuln*r**ility in **ultm*n *itsom* t*rou** *.*.* *llows *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* * *r**t** t** n*m* o* t** t*r**t *it r*pository.

Reasoning

T** vuln*r**ility *xpli*itly involv*s *r**t** t** n*m*s *n**lin* OS *omm*n* inj**tion. T*is impli*s: *) T** p**k*** int*r**ts wit* `*it` *LI to `pro**ss` t**s *) T** n*m*s *r* us** uns***ly in *omm*n* *onstru*tion *) `No**.js` `**il*_pro**ss` m*t*o*s