Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5cTMtODg2Ny01d21w
Remote Command Execution in reg-keygen-git-hash-plugin
Impact
reg-keygen-git-hash-plugin through 0.10.15 allow remote attackers to execute of arbitrary commands.
Patches
Upgrade to version 0.10.16 or later.
For more information
If you have any questions or comments about this advisory:
- Open an issue in reg-viz/reg-suit
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ5cTMtODg2Ny01d21w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
Identifiers: GHSA-49q3-8867-5wmp, CVE-2021-32673
References:
- https://github.com/reg-viz/reg-suit/security/advisories/GHSA-49q3-8867-5wmp
- https://nvd.nist.gov/vuln/detail/CVE-2021-32673
- https://github.com/reg-viz/reg-suit/commit/f84ad9c7a22144d6c147dc175c52756c0f444d87
- https://github.com/reg-viz/reg-suit/releases/tag/v0.10.16
- https://www.npmjs.com/package/reg-keygen-git-hash-plugin
- https://github.com/advisories/GHSA-49q3-8867-5wmp
Blast Radius: 17.4
Affected Packages
npm:reg-keygen-git-hash-plugin
Dependent packages: 20Dependent repositories: 94
Downloads: 173,325 last month
Affected Version Ranges: < 0.10.16
Fixed in: 0.10.16
All affected versions: 0.0.3, 0.0.4, 0.0.5, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.13, 0.0.14, 0.0.17, 0.0.19, 0.1.0, 0.1.2, 0.1.4, 0.2.0, 0.2.6, 0.3.0, 0.3.1, 0.4.0, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.8, 0.5.9, 0.6.0, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.5, 0.7.6, 0.7.16, 0.7.23, 0.7.25, 0.8.5, 0.10.3, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.14, 0.10.15
All unaffected versions: 0.10.16, 0.10.17, 0.11.0, 0.11.1, 0.12.1, 0.12.2, 0.13.0, 0.14.0, 0.14.2, 0.14.3