GHSA-5875-m6jq-vf78

Опубликовано: 14 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Command injection in workspace-tools

The package workspace-tools before 0.18.4 is vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Ссылки

Пакеты

Наименование

workspace-tools

npm

Затронутые версииВерсия исправления

< 0.18.4

0.18.4

EPSS

Процентиль: 79%

0.01249

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-25865

Дефекты

CWE-77

Связанные уязвимости

CVE-2022-25865

CVSS3: 8.1

nvd

больше 3 лет назад

The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

EPSS

Процентиль: 79%

0.01249

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-25865

Дефекты

CWE-77