Command Injection Affecting gitblame package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.25% (66th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-GITBLAME-1050430
- published 26 Jan 2021
- disclosed 26 Jan 2021
- credit JHU System Security Lab
Introduced: 26 Jan 2021
CVE-2020-28434 Open this link in a new tabHow to fix?
There is no fixed version for gitblame
.
Overview
gitblame is a package that uses git blame to find out who modified a file.
Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 15 in lib/gitblame.js
.
PoC
var a =require("gitblame");
a("& touch JHU",function(){})
CVSS Scores
version 3.1