CVE-2021-3028
📋 TL;DR
CVE-2021-3028 is a command injection vulnerability in git-big-picture versions before 1.0.0 that allows remote code execution when processing branch names containing single quotes. This affects users who run git-big-picture on untrusted repositories or with untrusted branch names.
💻 Affected Systems
- git-big-picture
📦 What is this software?
Git Big Picture by Git Big Picture Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary code execution as the user running git-big-picture, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Arbitrary code execution in the context of the user running git-big-picture, allowing attackers to access sensitive git repositories, credentials, or system resources.
If Mitigated
Limited impact if running with minimal privileges and in isolated environments, though code execution would still be possible.
🎯 Exploit Status
Exploitation is straightforward - an attacker needs to create a branch with a malicious name containing single quotes and trick a user into running git-big-picture on that repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.0 and later
Vendor Advisory: https://github.com/git-big-picture/git-big-picture/releases/tag/v1.0.0
Restart Required: No
Instructions:
1. Update git-big-picture to version 1.0.0 or later using your package manager. 2. For pip installations: 'pip install --upgrade git-big-picture>=1.0.0'. 3. Verify the update with 'git-big-picture --version'.
🔧 Temporary Workarounds
Avoid processing untrusted repositories
allDo not run git-big-picture on repositories from untrusted sources or with untrusted branch names.
Sanitize branch names
linuxImplement pre-processing to remove or escape single quotes from branch names before using git-big-picture.
git branch | sed "s/'//g" | xargs -I {} git branch -m {} sanitized-{}
🧯 If You Can't Patch
- Run git-big-picture in a sandboxed environment with minimal privileges
- Implement strict input validation on branch names before processing
🔍 How to Verify
Check if Vulnerable:
Run 'git-big-picture --version' and check if version is below 1.0.0. If version is unknown, assume vulnerable if installed before 2021.Check Version:
git-big-picture --versionVerify Fix Applied:
Run 'git-big-picture --version' and confirm version is 1.0.0 or higher. Test with a branch containing single quotes to ensure no command injection occurs.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution following git-big-picture usage
- Process creation from git-big-picture with unusual arguments
Network Indicators:
- Outbound connections from git-big-picture process to unexpected destinations
SIEM Query:
Process creation where parent process contains 'git-big-picture' and command line contains suspicious patterns like bash, sh, or curl with unusual arguments🔗 References
- https://github.com/git-big-picture/git-big-picture/pull/27
- https://github.com/git-big-picture/git-big-picture/pull/62
- https://github.com/git-big-picture/git-big-picture/releases/tag/v1.0.0
- https://github.com/git-big-picture/git-big-picture/pull/27
- https://github.com/git-big-picture/git-big-picture/pull/62
- https://github.com/git-big-picture/git-big-picture/releases/tag/v1.0.0
