CVE-2021-3190 – async-git

Package

Manager: npm
Name: async-git
Vulnerable Version: >=0 <1.13.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.20943 pctl0.95417

Details

OS Command Injection in async-git The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. Ensure to sanitize untrusted user input before passing it to one of the vulnerable functions as a workaround or update async-git to version 1.13.1.

Metadata

Created: 2021-01-29T18:14:00Z
Modified: 2022-05-03T02:56:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-6c3f-p5wp-34mh/GHSA-6c3f-p5wp-34mh.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-6c3f-p5wp-34mh
Finding: F404
Auto approve: 1