CVE-2022-25860

Exploit

EPSS 41.35%
Veröffentlicht 26.01.2023 21:15:31
Zuletzt bearbeitet 01.04.2025 16:15:15
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

simple-git < 3.16.0 - Remote Code Execution

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization.
This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Mögliche Gegenmaßnahme

Ads.txt Manager: Update to version 1.4.3, or a newer patched version

Insecure Content Warning: Update to version 1.1.0, or a newer patched version

Block for Apple Maps: Update to version 1.1.1, or a newer patched version

Retro Winamp Block: Update to version 1.3.0, or a newer patched version

Simple Local Avatars: Update to version 2.7.4, or a newer patched version

Simple Podcasting: Update to version 1.5.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Ads.txt Manager

Version *-1.4.2

SystemWordPress Plugin

≫

Produkt Insecure Content Warning

Version *-1.0.3

SystemWordPress Plugin

≫

Produkt Block for Apple Maps

Version *-1.1.0

SystemWordPress Plugin

≫

Produkt Retro Winamp Block

Version [*, 1.3.0)

SystemWordPress Plugin

≫

Produkt Simple Local Avatars

Version *-2.7.3

SystemWordPress Plugin

≫

Produkt Simple Podcasting

Version *-1.4.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Simple-git Project ≫ Simple-git SwPlatformnode.js Version < 3.16.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	41.35%	0.973

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
report@snyk.io	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951

Patch

Third Party Advisory

https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13

Patch

Third Party Advisory

https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/46fdd494-8073-4a68-a4ab-1f5767011f67

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-25860