CVE-2022-25912

Sažetak

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

Reference

https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

CVSS

Base:	8.1
Impact:	5.9
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

22-04-2025 - 21:15

Objavljeno

06-12-2022 - 05:15