Lucene search

GoogleOSV:GHSA-9W5J-4MWV-2WJ8

HistoryJan 26, 2023 - 9:30 p.m.

Remote code execution in simple-git

2023-01-2621:30:25

Google

osv.dev

simple-git

remote code execution

rce

input sanitization

cve-2022-25912

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.2%

JSON

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

CPENameOperatorVersion
simple-gitlt3.16.0

CPE	Name	Operator	Version
	simple-git	lt	3.16.0

References

github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951

github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13

nvd.nist.gov/vuln/detail/CVE-2022-25860

security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for OSV:GHSA-9W5J-4MWV-2WJ8