CVE-2021-23632 – git

Package

Manager: npm
Name: git
Vulnerable Version: >=0 <=0.1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03224 pctl0.86565

Details

Code injection in npm git All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. At this time, there is no known workaround. There has been no patch released.

Metadata

Created: 2022-03-18T00:01:11Z
Modified: 2022-03-25T16:13:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-9gqr-xp86-f87h/GHSA-9gqr-xp86-f87h.json
CWE IDs: ["CWE-78", "CWE-94"]
Alternative ID: GHSA-9gqr-xp86-f87h
Finding: F004
Auto approve: 1