push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
CVE-2019-10803 - Critical Severity Vulnerability
Push a directory to a remote branch
Library home page: https://registry.npmjs.org/push-dir/-/push-dir-0.4.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/push-dir/package.json
Dependency Hierarchy: - :x: **push-dir-0.4.1.tgz** (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
Publish Date: 2020-02-28
URL: CVE-2019-10803
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here