@phoenix-plugin-registry/hirse.ungit (=0.8.3), hirse.ungit (>=0.1.0 <=0.8.3) potentially affected by CVE-2022-25766 via ungit (>=0.9.3 <=1.5.2)

ungit NPM version =0.9.3, =0.1.0, =0.8.3 Source cves: CVE-2022-25766 Source advisory: OSV:GHSA-HF8C-XR89-VFM5...

EUVD-2022-1441

The package ungit before 1.5.20 are vulnerable to Remote Code Execution RCE via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values remote and ref are passed to the git fetch command. By injecting some git options it was possible to get arbitrary...

@phoenix-plugin-registry/hirse.ungit (=0.8.3), hirse.ungit (>=0.4.1 <=0.8.3) potentially affected by CVE-2022-25766 via ungit (>=1.1.22 <=1.5.2)

ungit NPM version =1.1.22, =0.4.1, =0.8.3 Source cves: CVE-2022-25766 Source advisory: SNYK:JS-UNGIT-2414099...