CVE-2022-25860
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
Summary
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | simple-git | 0 < 3.16.0 | affected |
Weaknesses
- CWE-94: Remote Code Execution (RCE)
ADP Enrichment
CVE Program Container
Additional References
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391
- https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13
- https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.