CVE-2022-24433
HIGH8.1EPSS 0.93%Command injection in simple-git
Published: 3/12/2022Modified: 1/14/2025
Description
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
Affected packages (1)
- npm/simple-gitfrom 0, < 3.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24433
- PATCHhttps://github.com/steveukx/git-js
- WEBhttps://github.com/steveukx/git-js/pull/767
- WEBhttps://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
- WEBhttps://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199