CVE-2023-26143 – blamer

Package

Manager: npm
Name: blamer
Vulnerable Version: >=0 <1.0.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00063 pctl0.19769

Details

blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Metadata

Created: 2023-09-19T06:30:17Z
Modified: 2023-09-22T18:48:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-6f9p-g466-f8v8/GHSA-6f9p-g466-f8v8.json
CWE IDs: ["CWE-88"]
Alternative ID: GHSA-6f9p-g466-f8v8
Finding: F014
Auto approve: 1