CVE-2021-3190 : The async-git package before 1.13.2 for Node.js allows OS Command Injection via

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.

Published 2021-01-26 18:16:28

Updated 2022-04-29 19:26:47

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-3190

Async-git Project » Async-git » For Node.js
Versions before (<) 1.13.2
cpe:2.3:a:async-git_project:async-git:*:*:*:*:*:node.js:*:*
Matching versions

EPSS FAQ

3.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

https://github.com/omrilotan/async-git/pull/14

Use spawn with git to avoid shell script vulnerabilities by omrilotan · Pull Request #14 · omrilotan/async-git · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://advisory.checkmarx.net/advisory/CX-2021-4772

Checkmarx Advisory | CX-2021-4772 / Command injection vulnerability in async-git
Exploit;Third Party Advisory
https://github.com/omrilotan/async-git/pull/13

Add test for reported vulnerabilities by omrilotan · Pull Request #13 · omrilotan/async-git · GitHub
Third Party Advisory
https://github.com/omrilotan/async-git/pull/13/commits/611823bd97dd41e9e8127c38066868ff9dcfa57a

Add test for reported vulnerabilities by omrilotan · Pull Request #13 · omrilotan/async-git · GitHub
Patch;Third Party Advisory
https://github.com/omrilotan/async-git/pull/13/commits/a5f45f58941006c4cc1699609383b533d9b92c6a

Add test for reported vulnerabilities by omrilotan · Pull Request #13 · omrilotan/async-git · GitHub
Patch;Third Party Advisory

Jump to