CVE-2022-24066
Command Injection vulnerability in simple-git (npm)
What is CVE-2022-24066 About?
This vulnerability is a command injection flaw in `simple-git` versions prior to 3.5.0, resulting from an incomplete fix for a previous command injection issue. It allows attackers to execute arbitrary commands by exploiting the `git clone` functionality with specially crafted inputs. The exploitation is relatively easy as it leverages a known attack vector that was not fully patched.
Affected Software
Technical Details
The simple-git package, used for running git commands in Node.js applications, is vulnerable to Command Injection. The preceding fix for CVE-2022-24433 only addressed the git fetch attack vector by patching the use of the --upload-pack feature. However, the same --upload-pack feature is also supported for git clone, which was overlooked in the initial fix. An attacker can craft malicious input for the git clone command that utilizes this unpatched vector, thereby injecting and executing arbitrary system commands through git-js. This allows for remote code execution on the host system running the affected simple-git version.
What is the Impact of CVE-2022-24066?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system with the privileges of the affected application. This could lead to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2022-24066?
Exploitation of this vulnerability is of moderate complexity, requiring specific knowledge of the git clone command's --upload-pack feature and how to craft malicious input strings. No authentication is explicitly required, but the attacker needs to provide the crafted input to the simple-git clone function within an application. This is a remote vulnerability if the application processing user-supplied URLs for git clone operations is exposed. The primary risk factor is applications that directly handle untrusted user input when invoking git clone with simple-git.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24066?
Available Upgrade Options
- simple-git
- <3.5.0 → Upgrade to 3.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-28xr-mwxg-3qc8
- https://github.com/steveukx/git-js
- https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.5.0
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306
- https://nvd.nist.gov/vuln/detail/CVE-2022-24066
- https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5
- https://gist.github.com/lirantal/a930d902294b833514e821102316426b
What are Similar Vulnerabilities to CVE-2022-24066?
Similar Vulnerabilities: CVE-2022-24433 , CVE-2021-4113 , CVE-2020-5247 , CVE-2020-11008 , CVE-2016-10531
