CVE-2022-24437

moderate-risk

Published 2022-05-01

The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.

Do I need to act?

10.4% chance of exploitation in next 30 days

EPSS score — higher than 90% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 7c99adeaea03aeb31631d71037fd792db0bfdc83, f9ce092be13cc32e685dfa26e7705e9c6e3108a3

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Git-Pull-Or-Clone

Affected Vendors

Git-Pull-Or-Clone Project

References (6)

Exploit https://gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7b

Patch https://github.com/feross/git-pull-or-clone/commit/f9ce092be13cc32e685dfa26e7705...

Exploit https://snyk.io/vuln/SNYK-JS-GITPULLORCLONE-2434307

Exploit https://gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7b

Patch https://github.com/feross/git-pull-or-clone/commit/f9ce092be13cc32e685dfa26e7705...

Exploit https://snyk.io/vuln/SNYK-JS-GITPULLORCLONE-2434307

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 11/34 · Low

Exposure 5/34 · Minimal