CVE-2023-26134: git-commit-info vulnerable to Command Injection
(updated )
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo() fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject arguments to the git binary.
References
- github.com/JPeer264/node-git-commit-info
- github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c
- github.com/JPeer264/node-git-commit-info/issues/24
- github.com/advisories/GHSA-h42j-mrmp-9369
- nvd.nist.gov/vuln/detail/CVE-2023-26134
- security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174
- www.npmjs.com/package/execa/v/5.1.0
Detect and mitigate CVE-2023-26134 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →