CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2022-1440 – Command Injection vulnerability in git-interface@2.1.1 in yarkeev/git-interface
https://notcve.org/view.php?id=CVE-2022-1440
22 Apr 2022 — Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow for any operating system command to be spawned by the attacker. Una vulnerabilidad de inyección de comandos en git-interface@2.1.1 en el repositorio de GitHub yarkeev/git-interface versiones anteriores a 2.1.2. Si ambos son proporcio... • https://github.com/yarkeev/git-interface/commit/f828aa790016fee3aa667f7b44cf94bf0aa8c60d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24826 – Git LFS can execute a binary from the current directory on Windows
https://notcve.org/view.php?id=CVE-2022-24826
19 Apr 2022 — On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current w... • https://github.com/git-lfs/git-lfs/releases • CWE-426: Untrusted Search Path •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24767
https://notcve.org/view.php?id=CVE-2022-24767
12 Apr 2022 — GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account. GitHub: El desinstalador de Git para Windows es vulnerable al secuestro de DLL cuando se ejecuta bajo la cuenta de usuario SYSTEM • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24767 • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-24066 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24066
01 Apr 2022 — The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. El paquete simple-git versiones anteriores a 3.5.0, es vulnerable a una inyección de comandos debido a una corrección incompleta de [CVE-2022-24433](https://security... • https://gist.github.com/lirantal/a930d902294b833514e821102316426b • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2021-23632 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2021-23632
17 Mar 2022 — All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run ... • https://snyk.io/vuln/SNYK-JS-GIT-1568518 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24433 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24433
11 Mar 2022 — The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution. El paquete simple-git versiones anteriores a 3.3.0, es vulnerable a una Inyección de Comandos por medio de una inyección de argumentos. Cuando es llamado a la función .fetch(remote, branch, handl... • https://github.com/steveukx/git-js/pull/767 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2021-44685
https://notcve.org/view.php?id=CVE-2021-44685
06 Dec 2021 — Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution). Git-it versiones hasta 4.4.0, permite una inyección de comandos del sistema operativo en el paso de desafío Branches Aren't Just For Birds. Durante el proceso de verificación, se intenta ejecutar el comando reflog seguido del nombre de la rama actual (que no est... • https://github.com/dwisiswant0/advisory/issues/3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-32673 – Remote Command Execution in reg-keygen-git-hash-plugin
https://notcve.org/view.php?id=CVE-2021-32673
08 Jun 2021 — reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue. reg-keygen-git-hash-plugin es un plugin de reg-suit para detectar la clave instantánea para ser comparada con el uso de Git commit hash. reg-keygen-git-hash-plugin versiones hasta 0.10.15 e incluyéndola, permiten a atacant... • https://github.com/reg-viz/reg-suit/commit/f84ad9c7a22144d6c147dc175c52756c0f444d87 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28955
https://notcve.org/view.php?id=CVE-2021-28955
22 Mar 2021 — git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows). git-bug versiones anteriores a 0.7.2, presenta un Elemento de Ruta de Búsqueda No Controlada. Ejecutará git.bat desde el directorio actual en determinadas situaciones de PATH (visto con mayor frecuencia en Windows) • https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 0CVE-2020-28490 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28490
18 Feb 2021 — The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb') El paquete async-git versiones anteriores a 1.13.2, es vulnerable a una inyección de comandos por medio de metacaracteres de shell (retrocesos). Por ejemplo: git.reset('atouch HACKEDb') • https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •