CVE-2022-24433
Command Injection vulnerability in simple-git (npm)
What is CVE-2022-24433 About?
This vulnerability is a Command Injection in `simple-git` versions before 3.3.0, specifically via argument injection in the `.fetch()` function. By crafting malicious input for the `remote` and `branch` parameters, an attacker can execute arbitrary commands. This is a critical vulnerability that is relatively easy to exploit.
Affected Software
Technical Details
The simple-git package, in versions prior to 3.3.0, is susceptible to a command injection vulnerability when utilizing its .fetch(remote, branch, handlerFn) function. The remote and branch parameters within this function are directly passed to the underlying git fetch subcommand without sufficient sanitization. An attacker can inject Git options (e.g., --upload-pack='<command>\u0027) into either the remote or branch parameter string. When simple-git constructs and executes the git fetch command with these injected parameters, the Git client interprets the injected options as legitimate commands or arguments, leading to the execution of arbitrary commands under the privileges of the process running the simple-git application.
What is the Impact of CVE-2022-24433?
Successful exploitation may allow attackers to execute arbitrary operating system commands with the privileges of the affected application, leading to complete system compromise, data defacement, or exfiltration.
What is the Exploitability of CVE-2022-24433?
Exploitation typically involves providing specially crafted remote or branch parameters to a simple-git .fetch() call within an application. The complexity is low to medium, as it relies on injecting known Git command arguments. Authentication may or may not be required, depending on how the application receives and processes the remote and branch values; if these come from user-controlled input, prior authentication might not be necessary. No specific privileges beyond typical application execution context are needed. This can be a remote or local privilege if the attacker can control the input to fetch. There are no highly special conditions beyond the application using the vulnerable simple-git version and passing untrusted input to the fetch method. The risk is significantly heightened for applications that expose Git operations to external users or process untrusted Git repository URLs or branch names.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24433?
Available Upgrade Options
- simple-git
- <3.3.0 → Upgrade to 3.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/steveukx/git-js/pull/767
- https://osv.dev/vulnerability/GHSA-3f95-r44v-8mrg
- https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0
- https://github.com/steveukx/git-js
- https://nvd.nist.gov/vuln/detail/CVE-2022-24433
- https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245
What are Similar Vulnerabilities to CVE-2022-24433?
Similar Vulnerabilities: CVE-2022-2127 , CVE-2021-23425 , CVE-2021-3918 , CVE-2021-23377 , CVE-2020-7770
