Vulnerability Details CVE-2022-25912
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.413
EPSS Ranking 97.3%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Products affected by CVE-2022-25912
-
cpe:2.3:a:simple-git_project:simple-git:-
-
cpe:2.3:a:simple-git_project:simple-git:3.0.0
-
cpe:2.3:a:simple-git_project:simple-git:3.0.1
-
cpe:2.3:a:simple-git_project:simple-git:3.0.2
-
cpe:2.3:a:simple-git_project:simple-git:3.0.3
-
cpe:2.3:a:simple-git_project:simple-git:3.0.4
-
cpe:2.3:a:simple-git_project:simple-git:3.1.0
-
cpe:2.3:a:simple-git_project:simple-git:3.1.1
-
cpe:2.3:a:simple-git_project:simple-git:3.10.0
-
cpe:2.3:a:simple-git_project:simple-git:3.11.0
-
cpe:2.3:a:simple-git_project:simple-git:3.12.0
-
cpe:2.3:a:simple-git_project:simple-git:3.13.0
-
cpe:2.3:a:simple-git_project:simple-git:3.14.0
-
cpe:2.3:a:simple-git_project:simple-git:3.14.1
-
cpe:2.3:a:simple-git_project:simple-git:3.2.4
-
cpe:2.3:a:simple-git_project:simple-git:3.2.6
-
cpe:2.3:a:simple-git_project:simple-git:3.3.0
-
cpe:2.3:a:simple-git_project:simple-git:3.4.0
-
cpe:2.3:a:simple-git_project:simple-git:3.5.0
-
cpe:2.3:a:simple-git_project:simple-git:3.6.0
-
cpe:2.3:a:simple-git_project:simple-git:3.7.0
-
cpe:2.3:a:simple-git_project:simple-git:3.7.1
-
cpe:2.3:a:simple-git_project:simple-git:3.8.0
-
cpe:2.3:a:simple-git_project:simple-git:3.9.0