Lucene search

[email protected]NVD:CVE-2022-25912

HistoryDec 06, 2022 - 5:15 a.m.

CVE-2022-25912

2022-12-0605:15:11

CWE-78

[email protected]

web.nvd.nist.gov

simple-git

vulnerability

remote code execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.021

Percentile

89.3%

JSON

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

Affected configurations

Nvd

Node

simple-git_projectsimple-gitRange<3.15.0node.js

VendorProductVersionCPE
simple-git_projectsimple-git*cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
simple-git_project	simple-git	*	cpe:2.3:a:simple-git_project:simple-git::::::node.js::*

References

github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols

github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504

github.com/steveukx/git-js/releases/tag/simple-git%403.15.0

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532

security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.021

Percentile

89.3%

JSON

Related for NVD:CVE-2022-25912

cve3 prion3 cvelist3 github3 veracode2 osv6 cnvd1 nvd2 ibm2