CVE-2021-23632
Code injection in npm git
6.6
MEDIUM
CVSS 3.1
EPSS 3.4%
Description
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. At this time, there is no known workaround. There has been no patch released.
How to fix CVE-2021-23632
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2021-23632 being exploited?
Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 0.1.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |