FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-21533

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Oct 8, 2024

010
CVSS 6.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API. This vulnerability allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Impact

This vulnerability could allow an attacker to inject arbitrary arguments into git commands executed by the ggit package. This can lead to command injection attacks, potentially allowing execution of arbitrary commands on the system where the ggit package is being used. The impact could include unauthorized access to sensitive information, modification of system files, or execution of malicious code with the privileges of the application using ggit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability was publicly disclosed on October 8, 2024, and a patch was added on the same day according to the Github Advisory.

Mitigation

1. Update to a patched version of the ggit package as soon as possible. 2. If immediate updating is not possible, implement input validation and sanitization for any user-supplied input that interacts with the ggit package, especially for URLs and file paths. 3. Consider using the principle of least privilege for applications that utilize the ggit package. 4. Monitor and audit systems using ggit for any suspicious activities or unexpected command executions. 5. Consider temporarily disabling or restricting use of the ggit package in critical systems until patching can be completed.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 8, 2024 at 6:30 AM
First Article

Feedly found the first article mentioning CVE-2024-21533. See article

Oct 8, 2024 at 6:44 AM / CTI Feeds - Cybercrime on Telegram
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 6:44 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 8, 2024 at 4:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:29 AM
Static CVE Timeline Graph

Affected Systems

Octobercms/october
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

Vendor Advisory

[GHSA-pr45-cg4x-ff4m] ggit is vulnerable to Arbitrary Argument Injection via the clone() API
GitHub Advisory Database / 42d
GitHub Security Advisory: GHSA-pr45-cg4x-ff4m Release Date: 2024-10-08 Update Date: 2024-10-08 Severity: Moderate CVE-2024-21533 Package Information Package: ggit Affected Versions: Patched Versions: None Description All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. References https://nvd.nist.gov/vuln/detail/CVE-2024-21533 https://gist.github.com/lirantal/80c6d59ac1b682a32bc9d2ff92044bb9 https://security.snyk.io/vuln/SNYK-JS-GGIT-5731319

News

Update Thu Oct 31 14:35:57 UTC 2024
Recent Commits to cve:main / 19d
Update Thu Oct 31 14:35:57 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
Recent Commits to cve:main / 34d
Update Wed Oct 16 14:41:55 UTC 2024
Update Tue Oct 15 06:42:07 UTC 2024
Recent Commits to cve:main / 35d
Update Tue Oct 15 06:42:07 UTC 2024
ggit is vulnerable to Arbitrary Argument Injection via the clone() API
Home on GitLab Advisory Database / 36d
All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (–) to communicate the end of options.
[GHSA-pr45-cg4x-ff4m] ggit is vulnerable to Arbitrary Argument Injection via the clone() API
GitHub Advisory Database / 42d
GitHub Security Advisory: GHSA-pr45-cg4x-ff4m Release Date: 2024-10-08 Update Date: 2024-10-08 Severity: Moderate CVE-2024-21533 Package Information Package: ggit Affected Versions: Patched Versions: None Description All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options. References https://nvd.nist.gov/vuln/detail/CVE-2024-21533 https://gist.github.com/lirantal/80c6d59ac1b682a32bc9d2ff92044bb9 https://security.snyk.io/vuln/SNYK-JS-GGIT-5731319
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:Low

Categories

CVSS 6.5(29815)CWE-88(244)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial