CVE-2020-28490

CRITICAL9.8EPSS 6.9%

Command Injection in async-git

發布日:2021/4/12修改日:2026/3/13

描述

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: `git.reset('atouch HACKEDb')`

受影響套件(1)

npm/async-gitfrom 0, < 1.13.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-28490
WEBhttps://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d
WEBhttps://github.com/omrilotan/async-git/pull/14
WEBhttps://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877
WEBhttps://www.npmjs.com/package/async-git