CVE-2022-24433 — Command injection in simple-git

Description

The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary command execution.

How to fix CVE-2022-24433

To remediate CVE-2022-24433, upgrade the affected package to a fixed version below.

—upgrade to 3.3.0 or later

Is CVE-2022-24433 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24433
PATCHgithub.com/steveukx/git-js
WEBgithub.com/steveukx/git-js/pull/767
WEBgithub.com/steveukx/git-js/releases/tag/simple-git%403.3.0
WEB