ogit@1.28.0

Vulnerabilities

1 via 7 paths

Dependencies

160

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: lodash.template
  • Introduced through: @oclif/plugin-help@2.2.3, @oclif/plugin-warn-if-update-available@1.7.0 and others

Detailed paths

  • Introduced through: ogit@1.28.0 @oclif/plugin-help@2.2.3 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/plugin-warn-if-update-available@1.7.0 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/plugin-autocomplete@0.1.5 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/plugin-help@2.2.3 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/plugin-not-found@1.2.4 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0
  • Introduced through: ogit@1.28.0 @oclif/plugin-warn-if-update-available@1.7.0 @oclif/command@1.8.0 @oclif/plugin-help@3.2.2 lodash.template@4.5.0

Overview

lodash.template is a The Lodash method _.template exported as a Node.js module.

Affected versions of this package are vulnerable to Command Injection via template.

PoC

var _ = require('lodash');

_.template('', { variable: '){console.log(process.env)}; with(obj' })()

Remediation

There is no fixed version for lodash.template.

References