GHSA-9gqr-xp86-f87h

Source

https://github.com/advisories/GHSA-9gqr-xp86-f87h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9gqr-xp86-f87h/GHSA-9gqr-xp86-f87h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9gqr-xp86-f87h

Aliases

CVE-2021-23632

Published

2022-03-18T00:01:11Z

Modified

2026-03-13T21:56:45.645352Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Code injection in npm git

Details

All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. At this time, there is no known workaround. There has been no patch released.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-78",
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T22:39:15Z",
    "nvd_published_at": "2022-03-17T12:15:00Z"
}

References

Affected packages

npm / git

Package

Name: git; View open source insights on deps.dev
Purl: pkg:npm/git

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.1.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9gqr-xp86-f87h/GHSA-9gqr-xp86-f87h.json"