CVE-2022-24433

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions simple-git versions prior to 3.3.0

Description The issue allows for Command Injection via argument injection. When calling the fetch function with parameters remote, branch, and handlerFn, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it is possible to achieve arbitrary command execution.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider restricting the input for the remote and branch parameters in the fetch function to prevent arbitrary command execution.

Fix

Argument Injection

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88CWE-77CWE-74

Related Identifiers

CVE-2022-24433

GHSA-3F95-R44V-8MRG

SNYK-JAVA-ORGWEBJARSNPM-2421245

SNYK-JS-SIMPLEGIT-2421199

Affected Products

Simple-Git

CVE-2022-24433

Weakness Enumeration

Related Identifiers

Affected Products

References · 11