CVE-2022-24066: Improper Neutralization of Special Elements used in a Command ('Command Injection')

April 1, 2022 (updated August 8, 2023)

The package simple-git before 3.5.0 is vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the –upload-pack feature of git is also supported for git clone, which the prior fix didn’t cover.

References

gist.github.com/lirantal/a930d902294b833514e821102316426b
github.com/advisories/GHSA-28xr-mwxg-3qc8
github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5
nvd.nist.gov/vuln/detail/CVE-2022-24066
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306

Detect and mitigate CVE-2022-24066 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →