cbcvebase.
CVE-2022-24066
published 2022-04-01

CVE-2022-24066: The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of…

PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.07%
89.4th percentile
The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of [CVE-2022-24433](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199) which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

Affected

7 ranges
VendorProductVersion rangeFixed in
simple-git_projectsimple-git< 3.36.03.36.0
simple-git_projectsimple-git< 3.5.03.5.0
simple-git_projectsimple-git< 3.15.03.15.0
simple-git_projectsimple-git>= 0 < 3.15.03.15.0
simple-git_projectsimple-git>= 0 < 3.5.03.5.0
simple-git_projectsimple-git>= 0 < 3.32.03.32.0
simple-git_projectsimple-git>= unspecified < 3.15.03.15.0

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.