9.8

CVE-2022-25912

Exploit

simple-git < 3.15.0 - Remote Code Execution

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Mögliche Gegenmaßnahme
Autopost for X (formerly Autoshare for Twitter): Update to version 1.3.0, or a newer patched version
ElasticPress: Update to version 4.4.1, or a newer patched version
Insert Special Characters: Update to version 1.0.6, or a newer patched version
Block for Apple Maps: Update to version 1.1.0, or a newer patched version
Simple Podcasting: Update to version 1.4.0, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Autopost for X (formerly Autoshare for Twitter)
Version *-1.2.1
SystemWordPress Plugin
Produkt ElasticPress
Version *-4.4.0
SystemWordPress Plugin
Produkt Insert Special Characters
Version *-1.0.5
SystemWordPress Plugin
Produkt Block for Apple Maps
Version *-1.0.3
SystemWordPress Plugin
Produkt Simple Podcasting
Version *-1.3.0
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Simple-git ProjectSimple-git SwPlatformnode.js Version < 3.15.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 43.3% 0.974
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
report@snyk.io 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.