Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Y3hwLWNqbTgtZmozNs4AAj0O
Improper Neutralization of Special Elements used in an OS Command in Blamer
Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.
Permalink: https://github.com/advisories/GHSA-8cxp-cjm8-fj36JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Y3hwLWNqbTgtZmozNs4AAj0O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8cxp-cjm8-fj36, CVE-2019-10807
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10807
- https://snyk.io/vuln/SNYK-JS-BLAMER-559541
- https://github.com/kucherenko/blamer/commit/5fada8c9b6986ecd28942b724fa682e77ce1e11c
- https://github.com/advisories/GHSA-8cxp-cjm8-fj36
Blast Radius: 31.6
Affected Packages
npm:blamer
Dependent packages: 5Dependent repositories: 1,684
Downloads: 262,552 last month
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.5, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13
All unaffected versions: 1.0.1, 1.0.3, 1.0.4, 1.0.6