Git-fastclone passes user modifiable strings directly to a shell command · CVE-2015-8969 · GitHub Advisory Database · GitHub

Git-fastclone passes user modifiable strings directly to a shell command

Critical severity GitHub Reviewed Published Aug 15, 2018 to the GitHub Advisory Database • Updated Aug 28, 2023

Package

git-fastclone (RubyGems)

Affected versions

< 1.0.5

Patched versions

1.0.5

Description

git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to cd and git clone commands in the library.

References

Published to the GitHub Advisory Database Aug 15, 2018

Reviewed Jun 16, 2020

Last updated Aug 28, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H