CVE-2022-24066
Summary
| CVE | CVE-2022-24066 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-01 20:15:00 UTC |
| Updated | 2023-08-08 14:21:00 UTC |
| Description | The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. |
Risk And Classification
Problem Types: CWE-88
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Simple-git Project | Simple-git | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Command Injection in org.webjars.npm:simple-git | CVE-2022-24066 | Snyk | CONFIRM | snyk.io | |
| Command Injection in simple-git | CVE-2022-24066 | Snyk | CONFIRM | snyk.io | |
| Prevent use of `--upload-pack` as a command in `git.clone` to avoid p… · steveukx/git-js@2040de6 · GitHub | CONFIRM | github.com | |
| Command Injection vulnerability in [email protected] · GitHub | CONFIRM | gist.github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Liran Tal
There are currently no legacy QID mappings associated with this CVE.