CVE-2021-44685 – git-it-electron

Package

Manager: npm
Name: git-it-electron
Vulnerable Version: >=0 <=4.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01961 pctl0.82788

Details

Command injection in git-it-electron Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).

Metadata

Created: 2021-12-08T00:01:44Z
Modified: 2022-08-30T17:34:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wjqc-j537-j9gj/GHSA-wjqc-j537-j9gj.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-wjqc-j537-j9gj
Finding: F404
Auto approve: 1