GHSA-9w5j-4mwv-2wj8

Source

https://github.com/advisories/GHSA-9w5j-4mwv-2wj8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9w5j-4mwv-2wj8/GHSA-9w5j-4mwv-2wj8.json

Aliases

CVE-2022-25860

Published

2023-01-26T21:30:25Z

Modified

2023-11-08T04:08:49.692488Z

Details

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-25860
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

Affected packages

npm / simple-git

Package

Name: simple-git

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.0