CVE-2022-24066

moderate-risk
Published 2022-04-01

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

Do I need to act?

~
3.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Simple-Git Project

References (8)

Exploit https://gist.github.com/lirantal/a930d902294b833514e821102316426b
Patch https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56...
Patch https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
Patch https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
Exploit https://gist.github.com/lirantal/a930d902294b833514e821102316426b
Patch https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56...
Patch https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
Patch https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
35
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal