CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24433 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24433
The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution. El paquete simple-git versiones anteriores a 3.3.0, es vulnerable a una Inyección de Comandos por medio de una inyección de argumentos. Cuando es llamado a la función .fetch(remote, branch, handlerFn), los parámetros remote y branch son pasados al subcomando git fetch. • https://github.com/steveukx/git-js/pull/767 https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245 https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-44685
https://notcve.org/view.php?id=CVE-2021-44685
Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution). Git-it versiones hasta 4.4.0, permite una inyección de comandos del sistema operativo en el paso de desafío Branches Aren't Just For Birds. Durante el proceso de verificación, se intenta ejecutar el comando reflog seguido del nombre de la rama actual (que no está desinfectado para su ejecución) • https://github.com/dwisiswant0/advisory/issues/3 https://github.com/jlord/git-it-electron/releases • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-32673 – Remote Command Execution in reg-keygen-git-hash-plugin
https://notcve.org/view.php?id=CVE-2021-32673
reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue. reg-keygen-git-hash-plugin es un plugin de reg-suit para detectar la clave instantánea para ser comparada con el uso de Git commit hash. reg-keygen-git-hash-plugin versiones hasta 0.10.15 e incluyéndola, permiten a atacantes remotos a ejecutar comandos arbitrarios. Actualizar a versión 0.10.16 o posterior para resolver este problema • https://github.com/reg-viz/reg-suit/commit/f84ad9c7a22144d6c147dc175c52756c0f444d87 https://github.com/reg-viz/reg-suit/releases/tag/v0.10.16 https://github.com/reg-viz/reg-suit/security/advisories/GHSA-49q3-8867-5wmp https://www.npmjs.com/package/reg-keygen-git-hash-plugin • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28955
https://notcve.org/view.php?id=CVE-2021-28955
git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows). git-bug versiones anteriores a 0.7.2, presenta un Elemento de Ruta de Búsqueda No Controlada. Ejecutará git.bat desde el directorio actual en determinadas situaciones de PATH (visto con mayor frecuencia en Windows) • https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr https://vuln.ryotak.me/advisories/18 • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-28490 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28490
The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb') El paquete async-git versiones anteriores a 1.13.2, es vulnerable a una inyección de comandos por medio de metacaracteres de shell (retrocesos). Por ejemplo: git.reset('atouch HACKEDb') • https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d https://github.com/omrilotan/async-git/pull/14 https://snyk.io/vuln/SNYK-JS-ASYNCGIT-1064877 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •