CVE-2023-26143

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26143

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26143.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26143

Aliases

GHSA-6f9p-g466-f8v8

Published

2023-09-19T05:17:10Z

Modified

2025-07-29T10:50:56.457890Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

References

Affected packages

Git / github.com/kucherenko/blamer

Affected ranges

Type: GIT
Repo: https://github.com/kucherenko/blamer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0965877f115753371a2570f10a63c455d2b2cde3

Affected versions

v1.*

v1.0.1

v1.0.3