CVE-2023-26134
published 2023-06-28CVE-2023-26134: Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.64%
88.1th percentile
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| git-commit-info_project | git-commit-info | < 2.0.2 | 2.0.2 |
| git-commit-info_project | git-commit-info | >= 0 < 2.0.2 | 2.0.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
git-commit-info vulnerable to Command Injection
osv·2023-06-28
CVE-2023-26134 [HIGH] git-commit-info vulnerable to Command Injection
git-commit-info vulnerable to Command Injection
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo() fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject arguments to the git binary.
GHSA
git-commit-info vulnerable to Command Injection
ghsa·2023-06-28
CVE-2023-26134 [HIGH] CWE-77 git-commit-info vulnerable to Command Injection
git-commit-info vulnerable to Command Injection
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo() fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject arguments to the git binary.
VulnCheck
git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-26134 [CRITICAL] git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.
Affected: git-commit-info_project git-commit-info
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
No detection rules found.
No public exploits indexed.
Trendmicro
Trend is a Launch Partner for Amazon Security Lake
blogs_trendmicro·2023-06-02·CVSS 9.8
CVE-2022-26134 [CRITICAL] Trend is a Launch Partner for Amazon Security Lake
Cumplimiento de normativa y riesgos
## Trend is a Launch Partner for Amazon Security Lake
Trend Micro is proud to be a launch partner for Amazon Security Lake, which puts the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
By: Erin Sindelar Jun 02, 2023 Read time: ( words)
Save to Folio
In September 2022, there was a critical bug in Confluence, CVE-2022-26134 , which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer h
Trendmicro
Trend is a Launch Partner for Amazon Security Lake
blogs_trendmicro·2023-06-02·CVSS 9.8
CVE-2022-26134 [CRITICAL] Trend is a Launch Partner for Amazon Security Lake
Compliance und Risiko
## Trend is a Launch Partner for Amazon Security Lake
Trend Micro is proud to be a launch partner for Amazon Security Lake, which puts the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
By: Erin Sindelar Jun 02, 2023 Read time: ( words)
Save to Folio
In September 2022, there was a critical bug in Confluence, CVE-2022-26134 , which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer had switched ED
Trendmicro
Trend is a Launch Partner for Amazon Security Lake
blogs_trendmicro·2023-06-02·CVSS 9.8
CVE-2022-26134 [CRITICAL] Trend is a Launch Partner for Amazon Security Lake
Conformità e rischi
## Trend is a Launch Partner for Amazon Security Lake
Trend Micro is proud to be a launch partner for Amazon Security Lake, which puts the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
By: Erin Sindelar Jun 02, 2023 Read time: ( words)
Save to Folio
In September 2022, there was a critical bug in Confluence, CVE-2022-26134 , which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer had switched EDR
Trendmicro
Trend is a Launch Partner for Amazon Security Lake
blogs_trendmicro·2023-06-02·CVSS 9.8
CVE-2022-26134 [CRITICAL] Trend is a Launch Partner for Amazon Security Lake
Compliance & Risks
## Trend is a Launch Partner for Amazon Security Lake
Trend Micro is proud to be a launch partner for Amazon Security Lake, which puts the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
By: Erin Sindelar 2023/06/02 Read time: ( words)
Save to Folio
In September 2022, there was a critical bug in Confluence, CVE-2022-26134 , which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer had switched EDR ven
Trendmicro
Trend is a Launch Partner for Amazon Security Lake
blogs_trendmicro·2023-06-02·CVSS 9.8
CVE-2022-26134 [CRITICAL] Trend is a Launch Partner for Amazon Security Lake
Compliance & Risks
## Trend is a Launch Partner for Amazon Security Lake
Trend Micro is proud to be a launch partner for Amazon Security Lake, which puts the customer in control, making critical data available to them from third-party security and analytics solutions of their choice.
By: Erin Sindelar Jun 02, 2023 Read time: ( words)
Save to Folio
In September 2022, there was a critical bug in Confluence, CVE-2022-26134 , which was under active exploit. Due to the nature of the vulnerability, customers could find out if they were impacted, but they couldn’t necessarily determine the initial infection point. They could have been exploited 3 days, or 90 days, or even 3 years prior. And data older than 90 days isn’t stored by most EDR vendors. Even worse, if a customer had switched EDR v
https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18chttps://github.com/JPeer264/node-git-commit-info/issues/24https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18chttps://github.com/JPeer264/node-git-commit-info/issues/24https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174
2023-06-28
Published
Exploited in the wild