Vulnerability Description
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Simple-Git Project | Simple-Git | < 3.5.0 |
Related Weaknesses (CWE)
References
- https://gist.github.com/lirantal/a930d902294b833514e821102316426bExploitThird Party Advisory
- https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306PatchThird Party Advisory
- https://gist.github.com/lirantal/a930d902294b833514e821102316426bExploitThird Party Advisory
- https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306PatchThird Party Advisory
FAQ
What is CVE-2022-24066?
CVE-2022-24066 is a vulnerability with a CVSS score of 8.1 (HIGH). The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against...
How severe is CVE-2022-24066?
CVE-2022-24066 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24066?
Check the references section above for vendor advisories and patch information. Affected products include: Simple-Git Project Simple-Git.