CVE-2022-24433

Опубликовано: 11 мар. 2022

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Ссылки

https://github.com/steveukx/git-js/pull/767
Patch
Third Party Advisory
https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
Patch
Third Party Advisory
https://github.com/steveukx/git-js/pull/767
Patch
Third Party Advisory
https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*

Версия до 3.3.0 (исключая)

EPSS

Процентиль: 76%

0.00927

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-88

Связанные уязвимости

GHSA-3f95-r44v-8mrg

CVSS3: 8.1

github

почти 4 года назад

Command injection in simple-git

EPSS

Процентиль: 76%

0.00927

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-88