CVE-2022-24433
HIGH8.1EPSS 0.93%Command injection in simple-git
發布日:2022/3/12修改日:2025/1/14
描述
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
受影響套件(1)
- npm/simple-gitfrom 0, < 3.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24433
- PATCHhttps://github.com/steveukx/git-js
- WEBhttps://github.com/steveukx/git-js/pull/767
- WEBhttps://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
- WEBhttps://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199