Cloud CLI Command Injection Vulnerability in Git Endpoints

A command injection vulnerability has been identified in Cloud CLI versions prior to 1.24.0. This issue arises in multiple Git-related API endpoints that use execAsync() with string interpolation of user-controlled parameters, such as file, branch, message, and commit. As a result, authenticated attackers can execute arbitrary operating system commands. The vulnerability has been patched in version 1.24.0.

Impact

Exploitation of this vulnerability allows for remote code execution as the user running the Node.js process, potentially leading to a full server compromise. This could also allow for data exfiltration and, in the context of supply chain attacks, modification of committed code to inject malware.

Reproduction

To reproduce this vulnerability, access the Git-related API endpoints while authenticated. The endpoints will accept user-controlled parameters that can be manipulated to inject arbitrary OS commands. For example, the 'file' parameter in the 'git status' endpoint can be exploited by including shell metacharacters such as command substitution or chaining. Once the command injection is successful, the injected commands will be executed on the server, leading to remote code execution.

Remediation

Users can update to Cloud CLI version 1.24.0 or later, where this vulnerability has been fixed.