Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02MmN4LTV4ajQtd2ZtNM4ABACL

ggit is vulnerable to Command Injection via the fetchTags(branch) API

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Permalink: https://github.com/advisories/GHSA-62cx-5xj4-wfm4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MmN4LTV4ajQtd2ZtNM4ABACL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago

CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-62cx-5xj4-wfm4, CVE-2024-21532
References:

Blast Radius: 21.4

Affected Packages

npm:ggit

Dependent packages: 39
Dependent repositories: 846
Downloads: 63,462 last month
Affected Version Ranges: <= 2.4.12
No known fixed version
All affected versions: 0.0.1, 0.0.3, 0.0.4, 0.0.5, 0.0.11, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.14.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.14.0, 1.15.0, 1.15.1, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.20.0, 1.20.1, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12