Lucene search

[email protected]CVE-2022-25853

HistoryFeb 06, 2023 - 5:15 a.m.

CVE-2022-25853

2023-02-0605:15:11

CWE-78

[email protected]

web.nvd.nist.gov

cve-2022-25853

package vulnerability

command injection

input sanitization

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

15.8%

JSON

All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.

Affected configurations

NVD

Node

semver-tags_projectsemver-tagsMatch-node.js

CPENameOperatorVersion
semver-tags_project:semver-tagssemver-tags project semver-tagseq-

CPE	Name	Operator	Version
semver-tags_project:semver-tags	semver-tags project semver-tags	eq	-

CNA Affected

[
  {
    "product": "semver-tags",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

github.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js%23L21

security.snyk.io/vuln/SNYK-JS-SEMVERTAGS-3175612

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for CVE-2022-25853

nvd1 veracode1 osv1 redhatcve1 prion1 github1 cvelist1