The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.
References
Link | Resource |
---|---|
https://github.com/steveukx/git-js/pull/767 | Patch Third Party Advisory |
https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0 | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245 | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199 | Patch Third Party Advisory |
Configurations
History
08 Aug 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-88 |
18 Mar 2022, 15:19
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-77 | |
First Time |
Simple-git Project
Simple-git Project simple-git |
|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:* | |
References | (MISC) https://github.com/steveukx/git-js/pull/767 - Patch, Third Party Advisory | |
References | (MISC) https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245 - Patch, Third Party Advisory | |
References | (MISC) https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0 - Patch, Third Party Advisory |
11 Mar 2022, 17:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-03-11 17:16
Updated : 2023-12-10 14:22
NVD link : CVE-2022-24433
Mitre link : CVE-2022-24433
CVE.ORG link : CVE-2022-24433
JSON object : View
Products Affected
simple-git_project
- simple-git
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')