Miggo Logo
Miggo Vulnerability Database
CVE-2024-21533

CVE-2024-21533: ggit is vulnerable to Arbitrary Argument Injection via the clone() API

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21533
GHSA ID
GHSA-pr45-cg4x-ff4m
EPSS Score
0.09855%
CWE
CWE-88
Published
10/8/2024
Updated
10/8/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
ggitnpm<= 2.4.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation and PoC explicitly reference the clone() API being vulnerable, which maps to the cloneRepo function in the ggit package. The function's failure to sanitize inputs and properly format git arguments matches the described attack pattern. The high confidence comes from: 1) Direct match between documented vulnerable API (clone()) and exported function name (cloneRepo) 2) Reproduction proof using this function 3) Typical Node.js package structure where core functionality resides in index.js

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** **it *r* vuln*r**l* to *r*itr*ry *r*um*nt Inj**tion vi* t** *lon*() *PI, w*i** *llows sp**i*yin* t** r*mot* URL to *lon* *n* t** *il* on *isk to *lon* to. T** li*r*ry *o*s not s*nitiz* *or us*r input or v*li**t* * *iv*n UR

Reasoning

T** vuln*r**ility *o*um*nt*tion *n* Po* *xpli*itly r***r*n** t** `*lon*()` *PI **in* vuln*r**l*, w*i** m*ps to t** `*lon*R*po` *un*tion in t** `**it` p**k***. T** *un*tion's **ilur* to s*nitiz* inputs *n* prop*rly *orm*t *it *r*um*nts m*t***s t** **s