Vulnerability Details CVE-2023-26143
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.7%
CVSS Severity
CVSS v3 Score 6.5
References
- https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9
- https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3
- https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318
- https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9
- https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3
- https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318
Products affected by CVE-2023-26143
-
cpe:2.3:a:blamer_project:blamer:-
-
cpe:2.3:a:blamer_project:blamer:0.1.1
-
cpe:2.3:a:blamer_project:blamer:0.1.10
-
cpe:2.3:a:blamer_project:blamer:0.1.11
-
cpe:2.3:a:blamer_project:blamer:0.1.12
-
cpe:2.3:a:blamer_project:blamer:0.1.13
-
cpe:2.3:a:blamer_project:blamer:0.1.2
-
cpe:2.3:a:blamer_project:blamer:0.1.3
-
cpe:2.3:a:blamer_project:blamer:0.1.5
-
cpe:2.3:a:blamer_project:blamer:0.1.7
-
cpe:2.3:a:blamer_project:blamer:0.1.8
-
cpe:2.3:a:blamer_project:blamer:0.1.9
-
cpe:2.3:a:blamer_project:blamer:1.0.1
-
cpe:2.3:a:blamer_project:blamer:1.0.3