Vulnerability Details CVE-2021-3190
The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.03
EPSS Ranking 86.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://advisory.checkmarx.net/advisory/CX-2021-4772
- https://github.com/omrilotan/async-git/pull/13
- https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a
- https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a
- https://github.com/omrilotan/async-git/pull/14
- https://advisory.checkmarx.net/advisory/CX-2021-4772
- https://github.com/omrilotan/async-git/pull/13
- https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a
- https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a
- https://github.com/omrilotan/async-git/pull/14
Products affected by CVE-2021-3190
-
cpe:2.3:a:async-git_project:async-git:1.0.0
-
cpe:2.3:a:async-git_project:async-git:1.1.0
-
cpe:2.3:a:async-git_project:async-git:1.10.0
-
cpe:2.3:a:async-git_project:async-git:1.10.1
-
cpe:2.3:a:async-git_project:async-git:1.11.0
-
cpe:2.3:a:async-git_project:async-git:1.12.0
-
cpe:2.3:a:async-git_project:async-git:1.13.0
-
cpe:2.3:a:async-git_project:async-git:1.13.1
-
cpe:2.3:a:async-git_project:async-git:1.2.0
-
cpe:2.3:a:async-git_project:async-git:1.3.0
-
cpe:2.3:a:async-git_project:async-git:1.3.1
-
cpe:2.3:a:async-git_project:async-git:1.3.2
-
cpe:2.3:a:async-git_project:async-git:1.4.0
-
cpe:2.3:a:async-git_project:async-git:1.5.0
-
cpe:2.3:a:async-git_project:async-git:1.5.1
-
cpe:2.3:a:async-git_project:async-git:1.6.0
-
cpe:2.3:a:async-git_project:async-git:1.6.1
-
cpe:2.3:a:async-git_project:async-git:1.7.0
-
cpe:2.3:a:async-git_project:async-git:1.8.0
-
cpe:2.3:a:async-git_project:async-git:1.9.0