{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21532", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.123Z", "datePublished": "2024-10-08T05:00:03.891Z", "dateUpdated": "2024-10-08T14:01:26.268Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P"}}], "credits": [{"value": "Liran Tal", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "Command Injection", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-08T05:00:03.891Z"}, "descriptions": [{"value": "All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320"}, {"url": "https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02"}], "affected": [{"product": "ggit", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"affected": [{"vendor": "bahmutov", "product": "ggit", "cpes": ["cpe:2.3:a:bahmutov:ggit:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-08T13:59:35.467621Z", "id": "CVE-2024-21532", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T14:01:26.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-08T13:59:35.467621Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bahmutov:ggit:*:*:*:*:*:*:*:*"], "vendor": "bahmutov", "product": "ggit", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T14:01:21.141Z"}}], "cna": {"credits": [{"lang": "en", "value": "Liran Tal"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "ggit", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320"}, {"url": "https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02"}], "descriptions": [{"lang": "en", "value": "All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-10-08T05:00:03.891Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21532", "state": "PUBLISHED", "dateUpdated": "2024-10-08T14:01:26.268Z", "dateReserved": "2023-12-22T12:33:20.123Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-10-08T05:00:03.891Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API."}], "id": "CVE-2024-21532", "lastModified": "2024-10-08T05:15:13.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2024-10-08T05:15:13.920", "references": [{"source": "report@snyk.io", "url": "https://gist.github.com/lirantal/d8f87b366d2078e6118ab7bf2b005f02"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-GGIT-5731320"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "report@snyk.io", "type": "Secondary"}]}

{}