CVE-2022-25866

Опубликовано: 25 апр. 2022

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Ссылки

https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733
Patch
Third Party Advisory
https://github.com/czproject/git-php/releases/tag/v4.0.3
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-CZPROJECTGITPHP-2421349
Exploit
Patch
Third Party Advisory
https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733
Patch
Third Party Advisory
https://github.com/czproject/git-php/releases/tag/v4.0.3
Release Notes
Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-CZPROJECTGITPHP-2421349
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:git-php_project:git-php:*:*:*:*:*:*:*:*

Версия до 4.0.3 (исключая)

EPSS

Процентиль: 83%

0.01994

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-88

Связанные уязвимости

GHSA-3xpw-vhmv-cw7h

CVSS3: 8.1

github

почти 4 года назад

Command injection in czproject/git-php

EPSS

Процентиль: 83%

0.01994

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-88