The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
References
Link | Resource |
---|---|
https://advisory.checkmarx.net/advisory/CX-2021-4772 | Exploit Third Party Advisory |
https://github.com/omrilotan/async-git/pull/13 | Third Party Advisory |
https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a | Patch Third Party Advisory |
https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a | Patch Third Party Advisory |
https://github.com/omrilotan/async-git/pull/14 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-21T07:11:33
Updated: 2021-03-30T13:16:06
Reserved: 2021-01-21T00:00:00
Link: CVE-2021-3190
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-26T18:16:28.287
Modified: 2022-04-29T19:26:46.927
Link: CVE-2021-3190
JSON object: View
Redhat Information
No data.
CWE