Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Z3FyLXhwODYtZjg3aM0z9Q
Code injection in npm git
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. At this time, there is no known workaround. There has been no patch released.
Permalink: https://github.com/advisories/GHSA-9gqr-xp86-f87hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Z3FyLXhwODYtZjg3aM0z9Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 6.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9gqr-xp86-f87h, CVE-2021-23632
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23632
- https://snyk.io/vuln/SNYK-JS-GIT-1568518
- https://github.com/advisories/GHSA-9gqr-xp86-f87h
Affected Packages
npm:git
Dependent packages: 249Dependent repositories: 4,181
Downloads: 69,975 last month
Affected Version Ranges: <= 0.1.5
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5