simple-git is vulnerable to remote code execution.The vulnerability exists in the clone()
function of git.js
because of enabling the ext transport protocol which allows an attacker to inject and execute arbitrary codes into the system. This is an incomplete fix of CVE-2022-24066
.
CPE | Name | Operator | Version |
---|---|---|---|
simple-git | le | 3.14.1 | |
simple-git | le | 3.14.0 | |
simple-git | le | 3.14.1 | |
simple-git | le | 3.14.0 |
github.com/advisories/GHSA-9p95-fxvg-qgq2
github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
github.com/steveukx/git-js/pull/862
github.com/steveukx/git-js/releases/tag/simple-git%403.15.0