CVE-2021-26543

Vulnerability

The gitDiff function in the Wayfair git-parse library (versions <=1.0.4) contains a command injection vulnerability. The function does not properly sanitize user-supplied input before passing it to a shell command, allowing an attacker to inject arbitrary commands. This issue affects all versions up to and including 1.0.4 and has been resolved in version 1.0.5 [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a crafted repository path or commit hash that includes shell metacharacters (e.g., backticks, semicolons, or pipes) to the gitDiff function. No authentication is required if the attacker can control the input to the function, which is common when applications pass user-supplied data to git-parse without validation [1][3].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the process using the vulnerable library. This can lead to full system compromise, including data exfiltration, file modification, or further lateral movement within the network [1].

Mitigation

Upgrade to git-parse version 1.0.5 or later, which contains a fix for the command injection vulnerability. No workarounds are available for earlier versions. Users should review their code to ensure that no untrusted input is passed to gitDiff without proper sanitization [1][2].