CVE-2023-26143 — blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API

Description

Versions of the blamer package before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

How to fix CVE-2023-26143

To remediate CVE-2023-26143, upgrade the affected package to a fixed version below.

—upgrade to 1.0.4 or later

Is CVE-2023-26143 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-26143
PATCHgithub.com/kucherenko/blamer
WEBgist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9
WEBgithub.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3