CVE-2019-10803 – CVE-2019-10803 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2019-10803?

CVE-2019-10803 has a CVSS score of 9.8 (CRITICAL). CVE-2019-10803 is a command injection vulnerability in push-dir npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. The vulnerability occurs because user-controlled input in the 'opt.branch' parameter is not properly sanitized before being passed to git commands. This affects any application or system using push-dir version 0.4.1 or earlier.

📋 TL;DR

CVE-2019-10803 is a command injection vulnerability in push-dir npm package that allows attackers to execute arbitrary commands on systems using vulnerable versions. The vulnerability occurs because user-controlled input in the 'opt.branch' parameter is not properly sanitized before being passed to git commands. This affects any application or system using push-dir version 0.4.1 or earlier.

💻 Affected Systems

Products:

push-dir

Versions: All versions through 0.4.1

Operating Systems: All operating systems where Node.js and git are installed

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or script using push-dir with user-controlled branch names is vulnerable. The vulnerability exists in the core functionality.

📦 What is this software?

Push Dir by Push Dir Project

View all CVEs affecting Push Dir →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Unauthorized code execution in the context of the application user, potentially leading to data theft, system modification, or service disruption.

🟢

If Mitigated

Limited impact if proper input validation and command sanitization are implemented, restricting execution to intended git operations only.

🌐 Internet-Facing: HIGH - If vulnerable push-dir is used in web applications or CI/CD pipelines exposed to the internet, attackers can exploit remotely.

🏢 Internal Only: MEDIUM - Internal systems using push-dir in automated workflows could be exploited by authenticated users or through other vulnerabilities.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can inject shell commands through the branch parameter. Public proof-of-concept exists showing command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.2 and later

Vendor Advisory: https://github.com/L33T-KR3W/push-dir/security/advisories

Restart Required: No

Instructions:

1. Update push-dir package using npm: 'npm update push-dir' 2. Verify version is 0.4.2 or higher: 'npm list push-dir' 3. Test functionality to ensure compatibility.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for branch names before passing to push-dir

// JavaScript example: validate branch names
const branchName = sanitizeInput(userInput);
if (!/^[a-zA-Z0-9\-\_\/]+$/.test(branchName)) {
    throw new Error('Invalid branch name');
}

Use Alternative Git Methods

all

Replace push-dir with direct git commands or other validated libraries

// Instead of push-dir, use:
git add . && git commit -m 'message' && git push origin branch-name

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-controlled parameters passed to push-dir
Run push-dir in isolated containers or sandboxes with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list push-dir | grep push-dir

Check Version:

npm list push-dir | grep 'push-dir@'

Verify Fix Applied:

Verify version is 0.4.2 or higher: npm list push-dir | grep 'push-dir@'

📡 Detection & Monitoring

Log Indicators:

Unusual git commands with shell metacharacters
Unexpected command execution in application logs
Failed git operations with suspicious branch names

Network Indicators:

Unexpected outbound connections from CI/CD systems
Unusual git protocol traffic patterns

SIEM Query:

process.name:node AND cmdline:*push-dir* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|* OR cmdline:*`*)

📊 Metadata

CVE ID: CVE-2019-10803

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 28, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/L33T-KR3W/push-dir/blob/master/index.js#L139 Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PUSHDIR-559009 Exploit,Third Party Advisory
https://github.com/L33T-KR3W/push-dir/blob/master/index.js#L139 Third Party Advisory
https://snyk.io/vuln/SNYK-JS-PUSHDIR-559009 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10803, you might also want to check these: