GHSA-3f95-r44v-8mrg

Source

https://github.com/advisories/GHSA-3f95-r44v-8mrg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3f95-r44v-8mrg/GHSA-3f95-r44v-8mrg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3f95-r44v-8mrg

Aliases

CVE-2022-24433

Published

2022-03-12T00:00:33Z

Modified

2025-01-14T10:56:50.435786Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Command injection in simple-git

Details

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

Database specific

{
    "nvd_published_at": "2022-03-11T17:16:00Z",
    "github_reviewed_at": "2022-03-14T23:30:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74",
        "CWE-77"
    ],
    "severity": "HIGH"
}

References

Affected packages

npm / simple-git

Package

Name: simple-git; View open source insights on deps.dev
Purl: pkg:npm/simple-git

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3f95-r44v-8mrg/GHSA-3f95-r44v-8mrg.json"