{"api_version":"1","generated_at":"2026-04-21T08:59:55+00:00","cve":"CVE-2022-24433","urls":{"html":"https://cve.report/CVE-2022-24433","api":"https://cve.report/api/cve/CVE-2022-24433.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24433","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24433"},"summary":{"title":"CVE-2022-24433","description":"The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2022-03-11 17:16:00","updated_at":"2023-08-08 14:21:00"},"problem_types":["CWE-88"],"metrics":[],"references":[{"url":"https://github.com/steveukx/git-js/pull/767","name":"https://github.com/steveukx/git-js/pull/767","refsource":"MISC","tags":[],"title":"Prevent use of `--upload-pack` as a command in `git.fetch` to avoid p… by steveukx · Pull Request #767 · steveukx/git-js · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245","name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245","refsource":"MISC","tags":[],"title":"Command Injection in org.webjars.npm:simple-git | CVE-2022-24433 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199","name":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199","refsource":"MISC","tags":[],"title":"Command Injection in simple-git | CVE-2022-24433 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0","name":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0","refsource":"MISC","tags":[],"title":"Release simple-git@3.3.0 · steveukx/git-js · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24433","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24433","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Alessio Della Libera of Snyk Research Team","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"24433","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"simple-git_project","cpe5":"simple-git","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2022-03-11T16:12:03.865726Z","ID":"CVE-2022-24433","STATE":"PUBLIC","TITLE":"Command Injection"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"simple-git","version":{"version_data":[{"version_affected":"<","version_value":"3.3.0"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Command Injection"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199","name":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199"},{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245","name":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245"},{"refsource":"MISC","url":"https://github.com/steveukx/git-js/pull/767","name":"https://github.com/steveukx/git-js/pull/767"},{"refsource":"MISC","url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0","name":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0"}]},"description":{"description_data":[{"lang":"eng","value":"The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},"credit":[{"lang":"eng","value":"Alessio Della Libera of Snyk Research Team"}]},"nvd":{"publishedDate":"2022-03-11 17:16:00","lastModifiedDate":"2023-08-08 14:21:00","problem_types":["CWE-88"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*","versionEndExcluding":"3.3.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}