Vulnerability Details CVE-2022-25912
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.028
EPSS Ranking 84.5%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
- https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols
- https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532
- https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Products affected by CVE-2022-25912
-
cpe:2.3:a:simple-git_project:simple-git:-
-
cpe:2.3:a:simple-git_project:simple-git:3.0.0
-
cpe:2.3:a:simple-git_project:simple-git:3.0.1
-
cpe:2.3:a:simple-git_project:simple-git:3.0.2
-
cpe:2.3:a:simple-git_project:simple-git:3.0.3
-
cpe:2.3:a:simple-git_project:simple-git:3.0.4
-
cpe:2.3:a:simple-git_project:simple-git:3.1.0
-
cpe:2.3:a:simple-git_project:simple-git:3.1.1
-
cpe:2.3:a:simple-git_project:simple-git:3.10.0
-
cpe:2.3:a:simple-git_project:simple-git:3.11.0
-
cpe:2.3:a:simple-git_project:simple-git:3.12.0
-
cpe:2.3:a:simple-git_project:simple-git:3.13.0
-
cpe:2.3:a:simple-git_project:simple-git:3.14.0
-
cpe:2.3:a:simple-git_project:simple-git:3.14.1
-
cpe:2.3:a:simple-git_project:simple-git:3.2.4
-
cpe:2.3:a:simple-git_project:simple-git:3.2.6
-
cpe:2.3:a:simple-git_project:simple-git:3.3.0
-
cpe:2.3:a:simple-git_project:simple-git:3.4.0
-
cpe:2.3:a:simple-git_project:simple-git:3.5.0
-
cpe:2.3:a:simple-git_project:simple-git:3.6.0
-
cpe:2.3:a:simple-git_project:simple-git:3.7.0
-
cpe:2.3:a:simple-git_project:simple-git:3.7.1
-
cpe:2.3:a:simple-git_project:simple-git:3.8.0
-
cpe:2.3:a:simple-git_project:simple-git:3.9.0