CVE-2022-25912: Improper Neutralization of Special Elements used in a Command ('Command Injection')
(updated )
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
References
- github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- nvd.nist.gov/vuln/detail/CVE-2022-25912
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Detect and mitigate CVE-2022-25912 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →