CVE-2021-3190 Information

Jun 07, 2022 cve

Description

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters as demonstrated by git.reset and git.tag.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a https://github.com/omrilotan/async-git/pull/14 https://github.com/omrilotan/async-git/pull/13 https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a https://advisory.checkmarx.net/advisory/CX-2021-4772

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: