CVE-2021-26541
published 2021-02-08CVE-2021-26541: The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.36%
91.6th percentile
The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlog_project | gitlog | < 4.0.4 | 4.0.4 |
| gitlog_project | gitlog | >= 0 < 4.0.4 | 4.0.4 |
| linux | linux_kernel | >= 0 < 5.4.0-92.103 | 5.4.0-92.103 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, l
osv·2022-01-06·CVSS 6.5
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, l
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
Nadav Amit discovered that the hugetlb implementation in the Linux kernel
did not perform TLB flushes under certain conditions. A local attacker
could use this to leak or alter data from other processes that use huge
pages. (CVE-2021-4002)
It was discovered that the Linux kernel did not properly enforce certain
types of entries in the Secure Boot Forbidden Signature Database (aka dbx)
protection mechanism. An attacker could use this to bypass UEFI Secure Boot
restrictions. (CVE-2020-26541)
It was discovered that a r
OSV
linux-oem-5.10 vulnerabilities
osv·2021-10-06·CVSS 6.5
CVE-2021-41073 linux-oem-5.10 vulnerabilities
linux-oem-5.10 vulnerabilities
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
It was discovered that the Linux kernel did not properly enforce certain
types of entries in the Secure Boot Forbidden Signature Database (aka dbx)
protection mechanism. An attacker could use this to bypass UEFI Secure Boot
restrictions. (CVE-2020-26541)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform reference counting in some situations,
leading to a use-after-free vulnerability. An attacker who could start and
control a VM could possibly use this to expose sensitive information or
execute arbitrary code. (C
GHSA
Command injection in gitlog
ghsa·2021-04-13
CVE-2021-26541 [CRITICAL] CWE-77 Command injection in gitlog
Command injection in gitlog
The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
OSV
Command injection in gitlog
osv·2021-04-13
CVE-2021-26541 [CRITICAL] Command injection in gitlog
Command injection in gitlog
The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-02-08
Published