WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2022-25860 Vulnerability in npm package simple-git

Description

Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Remediation

References

https://github.com/steveukx/git-js/commit/ec97a39ab60b89e870c5170121cd9c1603cc1951

https://github.com/steveukx/git-js/pull/881/commits/95459310e5b8f96e20bb77ef1a6559036b779e13

https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3177391

Related Vulnerabilities

CVE-2017-7662 Vulnerability in maven package org.apache.cxf.fediz:fediz-cxf

CVE-2022-24822 Vulnerability in npm package @podium/proxy

CVE-2020-35202 Vulnerability in maven package org.igniterealtime.openfire.plugins:dbaccess

CVE-2021-32731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web

CVE-2021-23326 Vulnerability in npm package @graphql-tools/git-loader

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit NVD-CWE-noinfo