CVE-2023-26143
MEDIUM6.5EPSS 0.06%blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API
發布日:2023/9/19修改日:2025/9/26
描述
Versions of the blamer package before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
受影響套件(1)
- npm/blamerfrom 0, < 1.0.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-26143
- PATCHhttps://github.com/kucherenko/blamer
- WEBhttps://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9
- WEBhttps://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3
- WEBhttps://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318