CVE-2023-26143

Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9	Exploit Third Party Advisory
https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3	Patch
https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blamer_project:blamer:*:*:*:*:*:node.js:*:*

History

21 Sep 2023, 19:28

Type	Values Removed	Values Added
References	~~(MISC) https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318 -~~	(MISC) https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318 - Exploit, Third Party Advisory
References	~~(MISC) https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9 -~~	(MISC) https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9 - Exploit, Third Party Advisory
References	~~(MISC) https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3 -~~	(MISC) https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3 - Patch
First Time		Blamer Project Blamer Project blamer
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CWE		CWE-88
CPE		cpe:2.3:a:blamer_project:blamer::::::node.js::*

19 Sep 2023, 05:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-19 05:17

Updated : 2024-02-28 20:33

NVD link : CVE-2023-26143

Mitre link : CVE-2023-26143

CVE.ORG link : CVE-2023-26143

JSON object : View

Products Affected

blamer_project

blamer

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

{"id": "CVE-2023-26143", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2023-09-19T05:17:10.443", "references": [{"url": "https://gist.github.com/lirantal/14c3686370a86461f555d3f0703e02f9", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}, {"url": "https://github.com/kucherenko/blamer/commit/0965877f115753371a2570f10a63c455d2b2cde3", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-BLAMER-5731318", "tags": ["Exploit", "Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-88"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-88"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options."}, {"lang": "es", "value": "Las versiones del paquete blamer anteriores a 1.0.4 son vulnerables a la inyecci\u00f3n Arbitraria de Argumentos a trav\u00e9s de la API blameByFile(). La librer\u00eda no sanitiza la entrada del usuario ni valida que la ruta de archivo dada se ajuste a un esquema espec\u00edfico, ni pasa correctamente los indicadores de l\u00ednea de comandos al binario git utilizando los caracteres POSIX de doble gui\u00f3n (--) para comunicar el final de las opciones. "}], "lastModified": "2023-11-07T04:09:27.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blamer_project:blamer:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A8E6FC04-030F-4B2D-9484-213E324BBB7A", "versionEndExcluding": "1.0.4"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}