Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yOHhyLW13eGctM3FjOM03tQ
Command injection in simple-git
simple-git (maintained as git-js named repository on GitHub) is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. A fix was released in [email protected].
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOHhyLW13eGctM3FjOM03tQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 9 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-28xr-mwxg-3qc8, CVE-2022-24066
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24066
- https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5
- https://gist.github.com/lirantal/a930d902294b833514e821102316426b
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.5.0
- https://github.com/advisories/GHSA-28xr-mwxg-3qc8
Blast Radius: 40.3
Affected Packages
npm:simple-git
Dependent packages: 4,498Dependent repositories: 93,771
Downloads: 16,880,866 last month
Affected Version Ranges: < 3.5.0
Fixed in: 3.5.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.33.0, 1.33.1, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.39.0, 1.40.0, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.44.0, 1.45.0, 1.46.0, 1.47.0, 1.48.0, 1.49.0, 1.50.0, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.56.0, 1.57.0, 1.58.0, 1.59.0, 1.60.0, 1.61.0, 1.62.0, 1.63.0, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.74.1, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.80.1, 1.81.0, 1.81.1, 1.82.0, 1.83.0, 1.84.0, 1.85.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.92.0, 1.94.0, 1.95.0, 1.95.1, 1.96.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0, 1.106.0, 1.107.0, 1.108.0, 1.109.0, 1.110.0, 1.111.0, 1.112.0, 1.113.0, 1.114.0, 1.115.0, 1.116.0, 1.117.0, 1.118.0, 1.119.0, 1.120.0, 1.121.0, 1.122.0, 1.123.0, 1.124.0, 1.125.0, 1.126.0, 1.127.0, 1.128.0, 1.129.0, 1.130.0, 1.131.0, 1.132.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.34.2, 2.35.0, 2.35.1, 2.35.2, 2.36.0, 2.36.1, 2.36.2, 2.37.0, 2.38.0, 2.38.1, 2.39.0, 2.39.1, 2.40.0, 2.41.0, 2.41.1, 2.41.2, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.45.1, 2.46.0, 2.47.0, 2.47.1, 2.48.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.2.4, 3.2.6, 3.3.0, 3.4.0
All unaffected versions: 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.15.1, 3.16.0, 3.16.1, 3.17.0, 3.18.0, 3.19.0, 3.19.1, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.24.0