CVE-2024-21532
7.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P
Summary
All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | ggit | 0 < * | affected |
Weaknesses
- CWE-78: Command Injection
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320
- https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.