CVE-2020-28422: 
JavaScript vulnerability analysis and mitigation

All versions of package git-archive are vulnerable to Command Injection via the exports function. The vulnerability was disclosed on December 11, 2020, and was assigned CVE-2020-28422. This security issue affects all versions of the git-archive Node.js package (Snyk Advisory).

The vulnerability has been classified as a Command Injection vulnerability (CWE-77). It received a CVSS v3.1 base score of 7.8 (HIGH) from NIST and 6.4 (MEDIUM) from Snyk. The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring Low privileges (PR:L), and no user interaction (UI:N). The scope is Unchanged (S:U), with potential High impact on confidentiality (C:H), High impact on integrity (I:H), and High impact on availability (A:H) (NVD).

A successful exploitation of this vulnerability could lead to total loss of confidentiality, with access to restricted information that presents a direct, serious impact. The vulnerability can affect system availability, causing performance reduction or interruptions in resource availability, though complete denial of service is not possible (Snyk Advisory).

Currently, there is no fixed version available for the git-archive package. Users should consider using alternative packages or implementing additional security controls to mitigate the risk (Snyk Advisory).