Description
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Remediation
References
https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Related Vulnerabilities
CVE-2022-23619 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2017-16129 Vulnerability in maven package org.webjars.npm:superagent
CVE-2022-28366 Vulnerability in maven package net.sourceforge.nekohtml:nekohtml
CVE-2022-39243 Vulnerability in maven package com.zaxxer:nuprocess
CVE-2023-25764 Vulnerability in maven package org.jenkins-ci.plugins:email-ext