Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
History

Wed, 25 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-09-19T05:00:01.083Z

Updated: 2024-09-25T15:25:49.067Z

Reserved: 2023-02-20T10:28:48.928Z

Link: CVE-2023-26143

cve-icon Vulnrichment

Updated: 2024-08-02T11:39:06.597Z

cve-icon NVD

Status : Modified

Published: 2023-09-19T05:17:10.443

Modified: 2024-11-21T07:50:52.047

Link: CVE-2023-26143

cve-icon Redhat

No data.