GHSA-6c3f-p5wp-34mh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6c3f-p5wp-34mh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-6c3f-p5wp-34mh/GHSA-6c3f-p5wp-34mh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6c3f-p5wp-34mh
- Aliases
-
- CVE-2021-3190
- Published
- 2021-01-29T18:14:00Z
- Modified
- 2023-11-08T04:05:51.640137Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- OS Command Injection in async-git
- Details
-
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. Ensure to sanitize untrusted user input before passing it to one of the vulnerable functions as a workaround or update async-git to version 1.13.1.
- Database specific
{ "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2021-01-27T23:33:04Z", "nvd_published_at": "2021-01-26T18:16:00Z", "severity": "CRITICAL" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-3190
- https://github.com/omrilotan/async-git/pull/13
- https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a
- https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a
- https://github.com/omrilotan/async-git/pull/14
- https://advisory.checkmarx.net/advisory/CX-2021-4772
- https://github.com/omrilotan/async-git
- https://www.npmjs.com/package/async-git
Affected packages
npm / async-git
Package
- Name
- async-git
- View open source insights on deps.dev
- Purl
- pkg:npm/async-git