1925227 – (CVE-2021-23326) CVE-2021-23326 graphql-tools/git-loader: exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

Bug 1925227 (CVE-2021-23326) - CVE-2021-23326 graphql-tools/git-loader: exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

Summary: CVE-2021-23326 graphql-tools/git-loader: exec and execSync in packages/loader...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-23326
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1925231
TreeView+	depends on / blocked

Reported:	2021-02-04 16:17 UTC by Michael Kaplan
Modified:	2021-02-05 20:41 UTC (History)
CC List:	6 users (show)
Fixed In Version:	git-loader 6.2.6
Clone Of:
Environment:
Last Closed:	2021-02-05 20:41:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2021-02-04 16:17:50 UTC

This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.


References:

https://github.com/ardatan/graphql-tools/commit/6a966beee8ca8b2f4adfe93318b96e4a5c501eac
https://github.com/ardatan/graphql-tools/pull/2470
https://github.com/ardatan/graphql-tools/releases/tag/%40graphql-tools%2Fgit-loader%406.2.6
https://snyk.io/vuln/SNYK-JS-GRAPHQLTOOLSGITLOADER-1062543

Comment 1 Product Security DevOps Team 2021-02-05 20:41:47 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23326

Note You need to log in before you can comment on or make changes to this bug.