CVE-2022-24433 – simple-git

Package

Manager: npm
Name: simple-git
Vulnerable Version: >=0 <3.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00527 pctl0.66192

Details

Command injection in simple-git The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

Metadata

Created: 2022-03-12T00:00:33Z
Modified: 2022-03-17T21:46:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3f95-r44v-8mrg/GHSA-3f95-r44v-8mrg.json
CWE IDs: ["CWE-74", "CWE-77"]
Alternative ID: GHSA-3f95-r44v-8mrg
Finding: F422
Auto approve: 1