CVE-2022-25766
Command Injection in ungit
8.8
HIGH
CVSS 3.1
EPSS 4.2%
Description
The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.
How to fix CVE-2022-25766
To remediate CVE-2022-25766, upgrade the affected package to a fixed version below.
- —upgrade to 1.5.20 or later
Is CVE-2022-25766 being exploited?
Low — EPSS is 4.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.5.20
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |