CVE-2022-24433
Summary
| CVE | CVE-2022-24433 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-03-11 17:16:00 UTC |
| Updated | 2023-08-08 14:21:00 UTC |
| Description | The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution. |
Risk And Classification
Problem Types: CWE-88
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Simple-git Project | Simple-git | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Prevent use of `--upload-pack` as a command in `git.fetch` to avoid p… by steveukx · Pull Request #767 · steveukx/git-js · GitHub | MISC | github.com | |
| Command Injection in org.webjars.npm:simple-git | CVE-2022-24433 | Snyk | MISC | snyk.io | |
| Command Injection in simple-git | CVE-2022-24433 | Snyk | MISC | snyk.io | |
| Release [email protected] · steveukx/git-js · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Alessio Della Libera of Snyk Research Team
There are currently no legacy QID mappings associated with this CVE.