WS-2021-0245 | Mend Vulnerability Database

Vulnerability DatabaseWS-2021-0245

WS-2021-0245

November 03, 2024

A Command Injection vulnerability was found in @npmcli/git before 2.0.8. It may result in arbitrary shell command execution due to improper argument sanitization when "npmcli/git" is used to execute Git commands based on user-controlled input. The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user-controlled) Git command arguments.

Related Resources (3)

https://github.com/npm/git/pull/29

https://github.com/npm/git/security/advisories/GHSA-hxwm-x553-x359

https://github.com/npm/git/commit/9fab115eaaa4e0adc0260b17a4feb83d339327eb

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Products

Solutions

Resources

Company

Compare

Developer Tools