GHSA-62cx-5xj4-wfm4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-62cx-5xj4-wfm4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-62cx-5xj4-wfm4/GHSA-62cx-5xj4-wfm4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-62cx-5xj4-wfm4
- Aliases
-
- CVE-2024-21532
- Published
- 2024-10-08T06:30:47Z
- Modified
- 2024-10-08T15:12:10.837137Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- ggit is vulnerable to Command Injection via the fetchTags(branch) API
- Details
-
All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.
- Database specific
{ "github_reviewed_at": "2024-10-08T14:38:48Z", "cwe_ids": [ "CWE-78" ], "nvd_published_at": "2024-10-08T05:15:13Z", "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
npm / ggit
Package
- Name
- ggit
- View open source insights on deps.dev
- Purl
- pkg:npm/ggit