2167563 – (CVE-2022-25853) CVE-2022-25853 semver-tags: Command Injection via the getGitTagsRemote function in semver-tags

Bug 2167563 (CVE-2022-25853) - CVE-2022-25853 semver-tags: Command Injection via the getGitTagsRemote function in semver-tags

Summary: CVE-2022-25853 semver-tags: Command Injection via the getGitTagsRemote functi...

Keywords:
Status:	NEW
Alias:	CVE-2022-25853
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2167320
TreeView+	depends on / blocked

Reported:	2023-02-07 04:12 UTC by Avinash Hanwate
Modified:	2025-01-02 08:27 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-02-07 04:12:43 UTC

All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.

https://github.com/jtrussell/semver-tags/blob/db1ba680bafed0d51e1bb36bd38f2c5439fe8b00/lib/get-tags.js%23L21
https://security.snyk.io/vuln/SNYK-JS-SEMVERTAGS-3175612

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alampare
alazarot
chazlett
dhanak
emingora
eric.wittmann
gjospin
ibek
janstey
jrokos
kverlaen
lbacciot
mnovotny
mwringe
nboldt
pantinor
peholase
pjindal
rguimara
scorneli