CVE-2020-28490

Опубликовано: 18 фев. 2021

Источник: nvd

CVSS3: 9.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb')

Ссылки

https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d
Patch
Third Party Advisory
https://github.com/omrilotan/async-git/pull/14
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877
Patch
Third Party Advisory
https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d
Patch
Third Party Advisory
https://github.com/omrilotan/async-git/pull/14
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:async-git_project:async-git:*:*:*:*:*:node.js:*:*

Версия до 1.13.2 (исключая)

EPSS

Процентиль: 91%

0.069

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-6qpr-9mc5-7gch

CVSS3: 9.8

github

почти 5 лет назад

Command Injection in async-git

EPSS

Процентиль: 91%

0.069

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78