npm package
ungit
pkg:npm/ungit
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-25766 | — | < 1.5.20 | 1.5.20 | Mar 21, 2022 | The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible | ||
| CVE-2015-4130 | cri | — | < 0.9.0 | 0.9.0 | Aug 31, 2020 | Versions of `ungit` prior to 0.9.0 are affected by a command injection vulnerability in the `url` parameter. ## Recommendation Update version 0.9.0 or later. |
- CVE-2022-25766Mar 21, 2022affected < 1.5.20fixed 1.5.20
The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible
- affected < 0.9.0fixed 0.9.0
Versions of `ungit` prior to 0.9.0 are affected by a command injection vulnerability in the `url` parameter. ## Recommendation Update version 0.9.0 or later.