CVE-2022-25860 – simple-git < 3.16.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-25860
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). Las versiones del paquete simple-git anteriores a la 3.16.0 son vulnerables a la ejecución remota de código (RCE) a través de los métodos clone(), pull(), push() y listRemote(), debido a una sanitización de entrada inadecuada. Esta vulnerabilidad existe debido a una solución incompleta de [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). The package simple-git is vulnerable to Remote Code Execution in versions before 3.16.0 via the clone(), pull(), push() and listRemote() methods due to improper input sanitization. • https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951 https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13 https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-46648 – ruby-git: code injection vulnerability
https://notcve.org/view.php?id=CVE-2022-46648
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318. Las versiones de ruby-git anteriores a la v1.13.0 permiten a un atacante remoto autenticado ejecutar un código Ruby arbitrario haciendo que un usuario cargue en el producto un repositorio que contiene un nombre de archivo especialmente manipulado. Esta vulnerabilidad es diferente de CVE-2022-47318. A flaw was found in the ruby-git package, which allows a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection flaw. • https://github.com/ruby-git/ruby-git https://github.com/ruby-git/ruby-git/pull/602 https://jvn.jp/en/jp/JVN16765254/index.html https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html https://access.redhat.com/security/cve/CVE-2022-46648 https://bugzilla.redhat.com/show_bug.cgi?id=2169385 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-47318 – ruby-git: code injection vulnerability
https://notcve.org/view.php?id=CVE-2022-47318
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648. Las versiones de ruby-git anteriores a v1.13.0 permiten a un atacante remoto autenticado ejecutar un código Ruby arbitrario haciendo que un usuario cargue en el producto un repositorio que contiene un nombre de archivo especialmente manipulado. Esta vulnerabilidad es diferente de CVE-2022-46648. A code injection flaw was found in the ruby-git package. • https://github.com/ruby-git/ruby-git https://github.com/ruby-git/ruby-git/pull/602 https://jvn.jp/en/jp/JVN16765254/index.html https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K https://access.redhat.com/security/cve/CVE-2022-47318 https://bugzilla.redhat.com/show_bug.cgi?id=2159672 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-25912 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2022-25912
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306). El paquete simple-git anterior a 3.15.0 es vulnerable a la ejecución remota de código (RCE) cuando se habilita el protocolo de transporte ext, lo que lo hace explotable mediante el método clone(). Esta vulnerabilidad existe debido a una solución incompleta de [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306). The package simple-git is vulnerable to Remote Code Execution in versions before 3.15.0 when the ext transport protocol is enabled. • https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504 https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532 https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2020-28422 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28422
All versions of package git-archive are vulnerable to Command Injection via the exports function. Todas las versiones del paquete git-archive son vulnerables a una inyección de comandos por medio de la función exports • https://security.snyk.io/vuln/SNYK-JS-GITARCHIVE-1050391 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •