GHSA-28xr-mwxg-3qc8

Suggest an improvement
Source
https://github.com/advisories/GHSA-28xr-mwxg-3qc8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-28xr-mwxg-3qc8/GHSA-28xr-mwxg-3qc8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-28xr-mwxg-3qc8
Aliases
  • CVE-2022-24066
  • SNYK-JAVA-ORGWEBJARSNPM-2434820
  • SNYK-JS-SIMPLEGIT-2434306
Published
2022-04-02T00:00:13Z
Modified
2023-11-08T04:08:29.185927Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Command injection in simple-git
Details

simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in simple-git@3.5.0.

References

Affected packages

npm / simple-git

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.0