{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T07:07:57.362","vulnerabilities":[{"cve":{"id":"CVE-2022-24433","sourceIdentifier":"report@snyk.io","published":"2022-03-11T17:16:06.510","lastModified":"2024-11-21T06:50:24.690","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution."},{"lang":"es","value":"El paquete simple-git versiones anteriores a 3.3.0, es vulnerable a una Inyección de Comandos por medio de una inyección de argumentos. Cuando es llamado a la función .fetch(remote, branch, handlerFn), los parámetros remote y branch son pasados al subcomando git fetch. Inyectando algunas opciones de git era posible conseguir una ejecución arbitraria de comandos"}],"metrics":{"cvssMetricV31":[{"source":"report@snyk.io","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-88"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:simple-git_project:simple-git:*:*:*:*:*:node.js:*:*","versionEndExcluding":"3.3.0","matchCriteriaId":"A7719BC3-42C3-4C38-B958-B721837A9E19"}]}]}],"references":[{"url":"https://github.com/steveukx/git-js/pull/767","source":"report@snyk.io","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0","source":"report@snyk.io","tags":["Patch","Third Party Advisory"]},{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245","source":"report@snyk.io","tags":["Patch","Third Party Advisory"]},{"url":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199","source":"report@snyk.io","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/steveukx/git-js/pull/767","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.3.0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2421245","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2421199","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]}]}}]}