Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zZjk1LXI0NHYtOG1yZ80ySg
Command injection in simple-git
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.
Permalink: https://github.com/advisories/GHSA-3f95-r44v-8mrgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zZjk1LXI0NHYtOG1yZ80ySg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3f95-r44v-8mrg, CVE-2022-24433
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24433
- https://github.com/steveukx/git-js/pull/767
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
- https://github.com/advisories/GHSA-3f95-r44v-8mrg
Blast Radius: 40.3
Affected Packages
npm:simple-git
Dependent packages: 4,498Dependent repositories: 93,771
Downloads: 16,880,866 last month
Affected Version Ranges: < 3.3.0
Fixed in: 3.3.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.1.2, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.26.2, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.33.0, 1.33.1, 1.34.0, 1.35.0, 1.36.0, 1.37.0, 1.38.0, 1.39.0, 1.40.0, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.44.0, 1.45.0, 1.46.0, 1.47.0, 1.48.0, 1.49.0, 1.50.0, 1.51.0, 1.52.0, 1.53.0, 1.54.0, 1.55.0, 1.56.0, 1.57.0, 1.58.0, 1.59.0, 1.60.0, 1.61.0, 1.62.0, 1.63.0, 1.64.0, 1.65.0, 1.66.0, 1.67.0, 1.68.0, 1.69.0, 1.70.0, 1.71.0, 1.72.0, 1.73.0, 1.74.0, 1.74.1, 1.75.0, 1.76.0, 1.77.0, 1.78.0, 1.79.0, 1.80.0, 1.80.1, 1.81.0, 1.81.1, 1.82.0, 1.83.0, 1.84.0, 1.85.0, 1.88.0, 1.89.0, 1.90.0, 1.91.0, 1.92.0, 1.94.0, 1.95.0, 1.95.1, 1.96.0, 1.98.0, 1.99.0, 1.100.0, 1.101.0, 1.102.0, 1.103.0, 1.104.0, 1.105.0, 1.106.0, 1.107.0, 1.108.0, 1.109.0, 1.110.0, 1.111.0, 1.112.0, 1.113.0, 1.114.0, 1.115.0, 1.116.0, 1.117.0, 1.118.0, 1.119.0, 1.120.0, 1.121.0, 1.122.0, 1.123.0, 1.124.0, 1.125.0, 1.126.0, 1.127.0, 1.128.0, 1.129.0, 1.130.0, 1.131.0, 1.132.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.18.0, 2.19.0, 2.20.0, 2.20.1, 2.21.0, 2.22.0, 2.23.0, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.34.2, 2.35.0, 2.35.1, 2.35.2, 2.36.0, 2.36.1, 2.36.2, 2.37.0, 2.38.0, 2.38.1, 2.39.0, 2.39.1, 2.40.0, 2.41.0, 2.41.1, 2.41.2, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.45.1, 2.46.0, 2.47.0, 2.47.1, 2.48.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.2.4, 3.2.6
All unaffected versions: 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.15.1, 3.16.0, 3.16.1, 3.17.0, 3.18.0, 3.19.0, 3.19.1, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.24.0