A command injection vulnerability exists in git-interface in the GitHub repository yarkeev/git-interface prior to 2.1.2. If both the git remote and destination directory are provided by user input, then the use of an --upload-pack command-line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.
もっと詳しく