Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBqaDMtanY3dy05anBy

Command Injection in gm

Versions of gm prior to 1.21.1 are affected by a command injection vulnerability. The vulnerability is triggered when user input is passed into gm.compare(), which fails to sanitize input correctly before calling the graphics magic binary.

Recommendation

Update to version 1.21.1 or later.

Permalink: https://github.com/advisories/GHSA-pjh3-jv7w-9jpr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBqaDMtanY3dy05anBy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago


Identifiers: GHSA-pjh3-jv7w-9jpr, CVE-2015-7982
References: Repository: https://github.com/aheckmann/gm
Blast Radius: 0.0

Affected Packages

npm:gm
Dependent packages: 1,335
Dependent repositories: 32,670
Downloads: 1,411,374 last month
Affected Version Ranges: <= 1.20.0
Fixed in: 1.21.1
All affected versions: 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.16.0, 1.17.0, 1.18.1, 1.19.0, 1.20.0
All unaffected versions: 1.21.0, 1.21.1, 1.22.0, 1.23.0, 1.23.1, 1.24.0, 1.25.0