push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable “opt.branch” is not validated before being provided to the “git” command within “index.js#L139”. This could be abused by an attacker to inject arbitrary commands.
[
{
"product": "push-dir",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions including 0.4.1"
}
]
}
]