GHSA-8c3f-x5f9-6h62

Source

https://github.com/advisories/GHSA-8c3f-x5f9-6h62

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-8c3f-x5f9-6h62/GHSA-8c3f-x5f9-6h62.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8c3f-x5f9-6h62

Aliases

CVE-2021-32830

Published

2021-09-02T17:08:20Z

Modified

2023-11-08T04:06:01.743612Z

Severity

3.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Command injection in @diez/generation

Details

The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.

Database specific

{
    "github_reviewed_at": "2021-08-19T20:09:43Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2021-08-17T18:15:00Z"
}

References

Affected packages

npm / @diez/generation

Package

Name: @diez/generation; View open source insights on deps.dev
Purl: pkg:npm/%40diez/generation

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

10.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-8c3f-x5f9-6h62/GHSA-8c3f-x5f9-6h62.json"