CVE-2022-24066
Command Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
El paquete simple-git versiones anteriores a 3.5.0, es vulnerable a una inyección de comandos debido a una corrección incompleta de [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) que sólo parchea contra el vector de ataque git fetch. Un uso similar de la función --upload-pack de git también es compatible con git clone, que la corrección anterior no cubría
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-24 CVE Reserved
- 2022-04-01 CVE Published
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- 2024-11-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CAPEC
References (4)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://gist.github.com/lirantal/a930d902294b833514e821102316426b | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5 | 2023-08-08 | |
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820 | 2023-08-08 | |
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306 | 2023-08-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Simple-git Project Search vendor "Simple-git Project" | Simple-git Search vendor "Simple-git Project" for product "Simple-git" | < 3.5.0 Search vendor "Simple-git Project" for product "Simple-git" and version " < 3.5.0" | node.js |
Affected
|