Description
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.
Remediation
References
https://github.com/L33T-KR3W/push-dir/blob/master/index.js#L139
https://snyk.io/vuln/SNYK-JS-PUSHDIR-559009
Related Vulnerabilities
CVE-2022-36905 Vulnerability in maven package eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin
CVE-2022-22881 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base
CVE-2016-10540 Vulnerability in maven package org.webjars:minimatch
CVE-2019-20174 Vulnerability in maven package org.webjars.npm:auth0-lock
CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.sentsin:layui