CVE-2022-25866
Command Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
El paquete czproject/git-php versiones anteriores a 4.0.3, es vulnerable a una inyección de comandos por medio de una inyección de argumentos git. Cuando es llamado a la función isRemoteUrlReadable($url, array $refs = NULL), los parámetros url y refs son pasados al subcomando git ls-remote de forma que puedan establecerse flags adicionales. Los flags adicionales pueden ser usados para llevar a cabo una inyección de comandos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-24 CVE Reserved
- 2022-04-25 CVE Published
- 2024-07-29 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/czproject/git-php/releases/tag/v4.0.3 | Release Notes |
URL | Date | SRC |
---|---|---|
https://snyk.io/vuln/SNYK-PHP-CZPROJECTGITPHP-2421349 | 2024-09-16 |
URL | Date | SRC |
---|---|---|
https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733 | 2023-08-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Git-php Project Search vendor "Git-php Project" | Git-php Search vendor "Git-php Project" for product "Git-php" | < 4.0.3 Search vendor "Git-php Project" for product "Git-php" and version " < 4.0.3" | - |
Affected
|