Intina47 Context-Sync OS Command Injection Vulnerability in Git Integration

A command injection vulnerability has been identified in Intina47 Context-Sync version 2.0.0, specifically within the Git Integration component. The vulnerability allows an attacker with network access to the MCP/HTTP interface to send crafted input that is not properly sanitized before being executed as an OS command. This exploitation could lead to arbitrary command execution with the privileges of the server process, potentially compromising the entire host, including its data, integrity, and availability. The vulnerability is present in versions up to and including 2.0.0.

Impact

Exploitation of this vulnerability allows for OS command injection, with the executed commands running under the server's privileges. This could lead to a full compromise of the host, including unauthorized data access, alteration of server state, and disruption of services.

Reproduction

To reproduce this vulnerability, first set up a Git repository and commit a file. Then, use the 'set_project' command to initialize the Context-Sync project within the repository. After that, send a request to the 'git' tool handler with a crafted argument that exploits the command injection vulnerability by injecting a command into the 'path' parameter.

Remediation

The vulnerability has been patched by modifying the Git integration to use argument-array form for Git commands, eliminating the command injection risk. Users should update to the patched version.