CVE-2022-25860

Опубликовано: 26 янв. 2023

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

EPSS Средний

Описание

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Ссылки

https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
Patch
Third Party Advisory
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
Exploit
Third Party Advisory
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
Patch
Third Party Advisory
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*

Версия до 3.16.0 (исключая)

EPSS

Процентиль: 97%

0.41312

Средний

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-94

NVD-CWE-noinfo

CWE-78

Связанные уязвимости

GHSA-9w5j-4mwv-2wj8

CVSS3: 9.8

github

около 3 лет назад

Remote code execution in simple-git

EPSS

Процентиль: 97%

0.41312

Средний

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-94

NVD-CWE-noinfo

CWE-78