Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02ZjlwLWc0NjYtZjh2OM4AA17_
blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
Permalink: https://github.com/advisories/GHSA-6f9p-g466-f8v8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZjlwLWc0NjYtZjh2OM4AA17_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Percentage: 0.00075
EPSS Percentile: 0.33537
Identifiers: GHSA-6f9p-g466-f8v8, CVE-2023-26143
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-26143
- https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3
- https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9
- https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318
- https://github.com/advisories/GHSA-6f9p-g466-f8v8
Blast Radius: 21.0
Affected Packages
npm:blamer
Dependent packages: 5Dependent repositories: 1,684
Downloads: 349,466 last month
Affected Version Ranges: < 1.0.4
Fixed in: 1.0.4
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.5, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 1.0.1, 1.0.3
All unaffected versions: 1.0.4, 1.0.6