Description

The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).

Remediation

References

https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols

https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504

https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532

https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221

Related Vulnerabilities

CVE-2020-26289 Vulnerability in maven package org.webjars.npm:date-and-time

CVE-2023-26486 Vulnerability in maven package org.webjars.bowergithub.vega:vega

CVE-2022-37264 Vulnerability in npm package steal

CVE-2023-29208 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2023-26473 Vulnerability in maven package org.xwiki.platform:xwiki-platform-query-manager

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Patch Third Party Advisory Release Notes Exploit