Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02ZjlwLWc0NjYtZjh2OM4AA17_

blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Permalink: https://github.com/advisories/GHSA-6f9p-g466-f8v8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZjlwLWc0NjYtZjh2OM4AA17_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Percentage: 0.00075
EPSS Percentile: 0.33537

Identifiers: GHSA-6f9p-g466-f8v8, CVE-2023-26143
References: Repository: https://github.com/kucherenko/blamer
Blast Radius: 21.0

Affected Packages

npm:blamer
Dependent packages: 5
Dependent repositories: 1,684
Downloads: 349,466 last month
Affected Version Ranges: < 1.0.4
Fixed in: 1.0.4
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.5, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 1.0.1, 1.0.3
All unaffected versions: 1.0.4, 1.0.6