High severityNVD Advisory· Published Apr 1, 2022· Updated Sep 16, 2024
Command Injection
CVE-2022-24066
Description
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simple-gitnpm | < 3.5.0 | 3.5.0 |
Affected products
2- simple-git/simple-gitdescription
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-28xr-mwxg-3qc8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24066ghsaADVISORY
- gist.github.com/lirantal/a930d902294b833514e821102316426bghsax_refsource_MISCWEB
- github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5ghsax_refsource_MISCWEB
- github.com/steveukx/git-js/releases/tag/simple-git%403.5.0ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.