CVE-2024-21532 – ggit

Package

Manager: npm
Name: ggit
Vulnerable Version: >=0 <=2.4.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00614 pctl0.68929

Details

ggit is vulnerable to Command Injection via the fetchTags(branch) API All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.

Metadata

Created: 2024-10-08T06:30:47Z
Modified: 2024-10-08T14:38:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-62cx-5xj4-wfm4/GHSA-62cx-5xj4-wfm4.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-62cx-5xj4-wfm4
Finding: F404
Auto approve: 1