PT-2021-15435 · Npm · @Graphql-Tools/Git-Loader

Dotan Simha

Published

2021-01-20

Updated

2022-05-27

CVE-2021-23326

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions @graphql-tools/git-loader versions prior to 6.2.6

Description The issue allows for arbitrary command injection due to the use of exec and execSync in the load-git.ts file. This is a result of the package's design, which enables an attacker to inject malicious commands.

Recommendations For versions prior to 6.2.6, update to version 6.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the load-git.ts file or disabling the use of exec and execSync functions until a patch is applied.

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

CVE-2021-23326

GHSA-VHHW-XJVF-WPRR

SNYK-JS-GRAPHQLTOOLSGITLOADER-1062543

Affected Products

@Graphql-Tools/Git-Loader

PT-2021-15435 · Npm · @Graphql-Tools/Git-Loader

CVE-2021-23326

Weakness Enumeration

Related Identifiers

Affected Products

References · 11