ID NODEJS:1614
Type nodejs
Reporter Anonymous
Modified 2021-02-22T18:30:38
Description
Overview
Affected versions of the async-git package allow OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
Recommendation
Upgrade to version 1.13.2 or later.
References
{"id": "NODEJS:1614", "type": "nodejs", "bulletinFamily": "software", "title": "OS Command Injection", "description": "## Overview\n\nAffected versions of the `async-git` package allow OS Command Injection via shell metacharacters, as demonstrated by `git.reset` and `git.tag`.\n\n## Recommendation\n\nUpgrade to version 1.13.2 or later.\n\n## References\n\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-3190)\n- [GitHub Advisory](https://github.com/advisories/GHSA-6c3f-p5wp-34mh)", "published": "2021-02-22T18:30:38", "modified": "2021-02-22T18:30:38", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.npmjs.com/advisories/1614", "reporter": "Anonymous", "references": [], "cvelist": ["CVE-2021-3190"], "lastseen": "2021-02-22T20:29:02", "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-3190"]}, {"type": "github", "idList": ["GHSA-6C3F-P5WP-34MH"]}], "modified": "2021-02-22T20:29:02", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-02-22T20:29:02", "rev": 2}, "vulnersScore": 5.6}, "affectedSoftware": [{"operator": "lt", "version": "1.13.2", "name": "async-git"}]}
{"cve": [{"lastseen": "2021-02-02T07:55:04", "description": "The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-26T18:16:00", "title": "CVE-2021-3190", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3190"], "modified": "2021-01-30T00:45:00", "cpe": [], "id": "CVE-2021-3190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3190", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "github": [{"lastseen": "2021-01-30T14:48:06", "bulletinFamily": "software", "cvelist": ["CVE-2021-3190"], "description": "The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.", "edition": 2, "modified": "2021-01-29T18:14:00", "published": "2021-01-29T18:14:00", "id": "GHSA-6C3F-P5WP-34MH", "href": "https://github.com/advisories/GHSA-6c3f-p5wp-34mh", "title": "OS Command Injection in async-git", "type": "github", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
