CVE-2021-44685: OS Command Injection in Git-it

Dec 07 2021 - 1 min

Description

Git-it through 4.4.0 allows OS command injection at the Branches Aren’t Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).

Proof of Concept

References

GHSA-wjqc-j537-j9gj
https://github.com/dwisiswant0/advisory/raw/master/.poc/CVE-2021-44685.mp4