CVSS: 10.0EPSS: 32%CPEs: 1EXPL: 1CVE-2022-25860 – simple-git < 3.16.0 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-25860
24 Jan 2023 — Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). Las versiones del paquete simple-git anteriores a la 3.16.0 son vulnerables a la ejecución remota de código (RCE) a través de los métodos clone(), pull(), push() y listRemote(), debido a una san... • https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 38%CPEs: 1EXPL: 2CVE-2022-25912 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2022-25912
05 Dec 2022 — The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306). El paquete simple-git anterior a 3.15.0 es vulnerable a la ejecución remota de código (RCE) cuando se habilita el protocolo de transporte ext, lo que lo hace explotable mediante el método clone(). Esta vulnerabi... • https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-24066 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24066
01 Apr 2022 — The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover. El paquete simple-git versiones anteriores a 3.5.0, es vulnerable a una inyección de comandos debido a una corrección incompleta de [CVE-2022-24433](https://security... • https://gist.github.com/lirantal/a930d902294b833514e821102316426b • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24433 – Command Injection
https://notcve.org/view.php?id=CVE-2022-24433
11 Mar 2022 — The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution. El paquete simple-git versiones anteriores a 3.3.0, es vulnerable a una Inyección de Comandos por medio de una inyección de argumentos. Cuando es llamado a la función .fetch(remote, branch, handl... • https://github.com/steveukx/git-js/pull/767 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •