Home > Vulnerability Database > CVE-2023-26143

Mend.io Vulnerability Database

CVE-2023-26143

Good to know:

Date: September 19, 2023

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

Language: TYPE_SCRIPT

Severity Score

9.1

Related Resources (4)

Url: https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3

Url: https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26143

Url: https://www.mend.io/vulnerability-database/CVE-2023-26143

Severity Score

9.1

Weakness Type (CWE)

Argument Injection or Modification

CWE-88

Top Fix

Upgrade Version

Upgrade to version blamer - 1.0.4

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26143

Good to know:

Date: September 19, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?