Description
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.
Remediation
References
https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c
https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174
https://github.com/JPeer264/node-git-commit-info/issues/24
Related Vulnerabilities
CVE-2010-2076 Vulnerability in maven package org.apache.cxf:cxf-bundle-jaxrs
CVE-2016-4468 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa
CVE-2022-25967 Vulnerability in npm package eta
CVE-2023-44487 Vulnerability in maven package io.helidon.http:helidon-http-http2