CVE Vulnerability

CVE-2022-25860

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391 Exploit Third Party Advisory
https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13 Patch Third Party Advisory
https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*
Information

Published : 2023-01-26 09:15

Updated : 2023-02-02 06:12

NVD link : CVE-2022-25860

Mitre link : CVE-2022-25860

Products Affected
No products.
CWE
NVD-CWE-noinfo