CVE-2021-23412 – CVE-2021-23412 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-23412?

CVE-2021-23412 has a CVSS score of 8.1 (HIGH). CVE-2021-23412 is a command injection vulnerability in the gitlogplus npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability occurs because user-supplied options are appended to shell commands without proper sanitization. This affects any application using vulnerable versions of gitlogplus.

📋 TL;DR

CVE-2021-23412 is a command injection vulnerability in the gitlogplus npm package that allows attackers to execute arbitrary commands on the host system. The vulnerability occurs because user-supplied options are appended to shell commands without proper sanitization. This affects any application using vulnerable versions of gitlogplus.

💻 Affected Systems

Products:

gitlogplus

Versions: All versions before 0.2.6

Operating Systems: All operating systems where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses gitlogplus with user-controlled input is vulnerable. The package is typically used in development tools and automation scripts.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution, data theft, lateral movement, and complete control of the affected server.

🟠

Likely Case

Arbitrary command execution with the privileges of the application process, potentially leading to data exfiltration, service disruption, or installation of malware.

🟢

If Mitigated

Limited impact if the application runs with minimal privileges, has network restrictions, and proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as it involves passing malicious input to the vulnerable function. Public proof-of-concept exists in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.6

Vendor Advisory: https://www.npmjs.com/advisories/1568

Restart Required: No

Instructions:

1. Update gitlogplus to version 0.2.6 or later using 'npm update gitlogplus'. 2. Verify the update with 'npm list gitlogplus'. 3. Test your application functionality after the update.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for all parameters passed to gitlogplus functions

Remove Package

all

If gitlogplus is not essential, remove it from your project

npm uninstall gitlogplus

🧯 If You Can't Patch

Run the application with minimal privileges (non-root user)
Implement network segmentation to limit the impact of potential compromise

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list gitlogplus' to see if version is below 0.2.6

Check Version:

npm list gitlogplus | grep gitlogplus

Verify Fix Applied:

Run 'npm list gitlogplus' and verify version is 0.2.6 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Suspicious git operations with unexpected parameters
Process spawning from Node.js applications

Network Indicators:

Unexpected outbound connections from the application server
Data exfiltration patterns

SIEM Query:

process.name:node AND cmdline:*gitlogplus* AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|*)

📊 Metadata

CVE ID: CVE-2021-23412

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 23, 2021

Last Updated: November 21, 2024

🔗 References

https://hackerone.com/reports/808942 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-GITLOGPLUS-1315832 Exploit,Third Party Advisory
https://www.npmjs.com/package/gitlogplus Product
https://hackerone.com/reports/808942 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-GITLOGPLUS-1315832 Exploit,Third Party Advisory
https://www.npmjs.com/package/gitlogplus Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23412, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Gitlogplus by Gitlogplus Project

Gitlogplus by Gitlogplus Project

Gitlogplus by Gitlogplus Project

Gitlogplus by Gitlogplus Project

Gitlogplus by Gitlogplus Project

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation and Sanitization

Remove Package

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities