CVE-2022-42906

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-42906

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42906.json

Aliases

GHSA-w67g-6gjv-c599

Related

DLA-3277-1

Published

2022-10-13T03:15:09Z

Modified

2023-11-29T09:42:59.733631Z

Details

powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.

References

Affected packages

Git / github.com/jaspernbrouwer/powerline-gitstatus

Affected ranges

Type: GIT
Repo: https://github.com/jaspernbrouwer/powerline-gitstatus
Events: Introduced

0The exact introduced commit is unknown

Fixed

fe8e963b3489e4cceaa2c1f26f2bcc2ef405364c

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

v1.2.1

v1.3.0

v1.3.1