CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.

@@ -32,7 +32,7 @@ describe('lib/reset', async() => {

  

it('Should hard reset to a given sha', async() \=> {

reset('shaid');

expect(exec.getCall(0).args\[0\]).to.equal('git reset shaid --hard');

expect(exec.getCall(0).args\[0\]).to.equal('git reset "shaid" --hard');

});

  

it('Should hard reset to n commits back', async() \=> {

@@ -47,6 +47,6 @@ describe('lib/reset', async() => {

  

it('Should reset w/o hard argument', async() \=> {

reset('shaid', { hard: false });

expect(exec.getCall(0).args\[0\].trim()).to.equal('git reset shaid');

expect(exec.getCall(0).args\[0\].trim()).to.equal('git reset "shaid"');

});

});

Headline

CVE-2021-3190: Add test for reported vulnerabilities by omrilotan · Pull Request #13 · omrilotan/async-git

CVE: Latest News