Remote Command Execution in reg-keygen-git-hash-plugin

High

Quramy published GHSA-49q3-8867-5wmp

Jun 8, 2021

Package

reg-keygen-git-hash-plugin (npm)

Affected versions

<0.10.16

Patched versions

0.10.16

Description

Impact

reg-keygen-git-hash-plugin through 0.10.15 allow remote attackers to execute of arbitrary commands.

Patches

Upgrade to version 0.10.16 or later.

For more information

If you have any questions or comments about this advisory:

Open an issue in reg-viz/reg-suit

Severity

High

8.8

/ 10

CVSS base metrics

Attack vector

Adjacent

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L