CVE-2022-25860

2023-01-2621:15:31

CWE-94

[email protected]

web.nvd.nist.gov

cve-2022-25860

simple-git

rce

remote code execution

input sanitization

cve-2022-25912

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.2%

JSON

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Affected configurations

NVD

Node

simple-git_projectsimple-gitRange<3.16.0node.js

CPENameOperatorVersion
simple-git_project:simple-gitsimple-git project simple-gitlt3.16.0

CPE	Name	Operator	Version
simple-git_project:simple-git	simple-git project simple-git	lt	3.16.0

CNA Affected

[
  {
    "product": "simple-git",
    "versions": [
      {
        "version": "0",
        "lessThan": "3.16.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]