From 34ad8f92e3c15c71b954a206856fd3705c7495a8 Mon Sep 17 00:00:00 2001 From: snyk-security-bot <66014823+snyk-security-bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 16:12:05 +0000 Subject: [PATCH] Adds CVE-2022-24433 --- 2022/24xxx/CVE-2022-24433.json | 88 ++++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 4 deletions(-) diff --git a/2022/24xxx/CVE-2022-24433.json b/2022/24xxx/CVE-2022-24433.json index b1b83a541ce..ab349144c5e 100644 --- a/2022/24xxx/CVE-2022-24433.json +++ b/2022/24xxx/CVE-2022-24433.json @@ -3,16 +3,96 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "report@snyk.io", + "DATE_PUBLIC": "2022-03-11T16:12:03.865726Z", "ID": "CVE-2022-24433", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Command Injection" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "simple-git", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "3.3.0" + } + ] + } + } + ] + }, + "vendor_name": "n/a" + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Command Injection" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199" + }, + { + "refsource": "CONFIRM", + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245" + }, + { + "refsource": "CONFIRM", + "url": "https://github.com/steveukx/git-js/pull/767" + }, + { + "refsource": "CONFIRM", + "url": "https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.\n" } ] - } + }, + "impact": { + "cvss": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "attackVector": "NETWORK", + "attackComplexity": "HIGH", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH" + } + }, + "credit": [ + { + "lang": "eng", + "value": "Alessio Della Libera of Snyk Research Team" + } + ] } \ No newline at end of file