Lucene search

GitHub Advisory DatabaseGHSA-9W5J-4MWV-2WJ8

HistoryJan 26, 2023 - 9:30 p.m.

Remote code execution in simple-git

2023-01-2621:30:25

GitHub Advisory Database

github.com

remote code execution

simple-git

vulnerability

improper input sanitization

incomplete fix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.021 Low

EPSS

Percentile

89.2%

JSON

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

Affected configurations

Vulners

Node

simple-git_projectsimple-gitRange<3.16.0node.js

CPENameOperatorVersion
simple-gitlt3.16.0

CPE	Name	Operator	Version
	simple-git	lt	3.16.0

References

github.com/advisories/GHSA-9w5j-4mwv-2wj8

github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951

github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13

nvd.nist.gov/vuln/detail/CVE-2022-25860

security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for GHSA-9W5J-4MWV-2WJ8