← back
CVE-2023-26143

CVE-2023-26143

CVSS 6.5 MEDIUMEPSS 0.9%CWE-88
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.9%KEV nãoPoC Patch
Lifecycle
Sep 19, 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P
Affected products
n/a · blamer

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318