Command Injection

Affecting @graphql-tools/git-loader package, versions <6.2.6

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Command Injection. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. As this is a dev tool input is generally controlled by the user that executes the command.

Remediation

Upgrade @graphql-tools/git-loader to version 6.2.6 or higher.

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Credit
Ron Masas
CVE
CVE-2021-23326
CWE
CWE-77
Snyk ID
SNYK-JS-GRAPHQLTOOLSGITLOADER-1062543
Disclosed
19 Jan, 2021
Published
20 Jan, 2021