CVE-2022-24437
Published: 01 May 2022
Summary
CVE-2022-24437 is a critical-severity Argument Injection (CWE-88) vulnerability in Git-Pull-Or-Clone Project Git-Pull-Or-Clone. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The package git-pull-or-clone before version 2.0.2 is vulnerable to command injection. The issue stems from unsafe handling of the outpath parameter when invoking git clone, which accepts the --upload-pack flag; although the code uses the spawn() child-process API, attacker-controlled values supplied to outpath are concatenated into the command line and executed.
An unauthenticated remote attacker can supply a malicious outpath value over the network, resulting in arbitrary command execution on the target system with the privileges of the calling process. Successful exploitation yields full confidentiality, integrity, and availability impact, consistent with the CVSS 9.8 rating.
Public references, including the Snyk advisory and the project’s own commit history, indicate that the vulnerability is resolved by upgrading to git-pull-or-clone 2.0.2 or later; the fix ensures that outpath is no longer interpreted as a command-line argument to git clone. The associated EPSS score has remained flat at 0.1039 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-2257
Vulnerability details
The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However,…
more
the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.