CVE-2022-1440
Published: 22 April 2022
Summary
CVE-2022-1440 is a critical-severity OS Command Injection (CWE-78) vulnerability in Git-Interface Project Git-Interface. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-1440 is a command injection vulnerability, tracked as CWE-78, that affects the git-interface package at version 2.1.1 in the yarkeev/git-interface GitHub repository. The flaw exists in the handling of the --upload-pack command-line argument passed to git clone when both the argument and its value are supplied via unsanitized user input, allowing arbitrary operating-system commands to be executed.
An unauthenticated remote attacker can supply crafted input to trigger the injection and achieve full command execution on the affected system, resulting in complete compromise of confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 base score of 9.8 with a network attack vector, low complexity, and no required privileges or user interaction.
The referenced GitHub commit f828aa790016fee3aa667f7b44cf94bf0aa8c60d and the associated huntr.dev report document the fix that was released in version 2.1.2. The current EPSS score of 0.0854 with a peak of 0.0941 does not indicate a material rise that would signal emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1813
Vulnerability details
Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow…
more
for any operating system command to be spawned by the attacker.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.