GHSA-6f9p-g466-f8v8

Source

https://github.com/advisories/GHSA-6f9p-g466-f8v8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-6f9p-g466-f8v8/GHSA-6f9p-g466-f8v8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6f9p-g466-f8v8

Aliases

CVE-2023-26143

Published

2023-09-19T06:30:17Z

Modified

2023-11-08T04:11:59.866819Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API

Details

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Database specific

{
    "github_reviewed_at": "2023-09-21T17:07:40Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-88"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2023-09-19T05:17:10Z"
}

References

Affected packages

npm / blamer

Package

Name: blamer; View open source insights on deps.dev
Purl: pkg:npm/blamer

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.4