Command Injection
CVE-2022-24433

8.1HIGH

Key Information:

Vendor: Simple-git Project
Status: Simple-git
Vendor: CVE Published:; 11 March 2022

Summary

The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

Affected Version(s)

simple-git < 3.3.0

References

https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199

x_refsource_MISC

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245

x_refsource_MISC

https://github.com/steveukx/git-js/pull/767

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2022
Vulnerability Reserved
Feb 24, 2022

Credit

Alessio Della Libera of Snyk Research Team

.

CVE-2022-24433 : Command Injection | SecurityVulnerability.io