ExploitCVE-2022-24437
Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Published: May 1, 2022 / Updated: 31mo ago
010
CVSS 9.8EPSS 0.1%Critical
CVE info copied to clipboard
The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
First Article
Feedly found the first article mentioning CVE-2022-24437. See article
Apr 10, 2022 at 12:00 PM / security.snyk.io
EPSS
EPSS Score was set to: 0.1% (Percentile: 40.1%)
Sep 17, 2023 at 9:16 AM
Affected Systems
Git-pull-or-clone_project/git-pull-or-clone
+null more
Exploits
https://gist.github.com/lirantal/327e9dd32686991b5a1fa6341aac2e7b
+null more
Patches
github.com
+null more
Attack Patterns
CAPEC-136: LDAP Injection
+null more
Vendor Advisory
OS Command Injection in git-pull-or-clone
GitHub Security Advisory: GHSA-3x62-x456-q2vm Release Date: 2022-05-03 Update Date: 2022-05-23 Severity: Critical CVE-2022-24437 Base Score: 9.8 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: git-pull-or-clone Affected Versions: Patched Versions: 2.0.2 Description The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone.
References
Rewterz Threat Advisory – CVE-2022-24437 – Node.js git-pull-or-clone module Vulnerability
Node.js git-pull-or-clone module could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in the use of the –upload-pack feature of git. By sending a specially-crafted argument to the git clone command, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
News
Update Tue Dec 6 09:44:06 UTC 2022
Update Tue Dec 6 09:44:06 UTC 2022
OS Command Injection in git-pull-or-clone
GitHub Security Advisory: GHSA-3x62-x456-q2vm Release Date: 2022-05-03 Update Date: 2022-05-23 Severity: Critical CVE-2022-24437 Base Score: 9.8 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: git-pull-or-clone Affected Versions: Patched Versions: 2.0.2 Description The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone.
🚨 NEW: CVE-2022-24437 🚨 The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes t... (click for more) Severity: CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2022-24437
🚨 NEW: CVE-2022-24437 🚨 The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes t... (click for more) Severity: CRITICAL nvd.nist.gov/vuln/detail/CVE…
CVE-2022-24437
- CVSS Scores & Vulnerability Types If the vulnerability is created recently it may take a few days to gather vulnerable products list and other information like cvss scores.
CVE-2022-24437
The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection. (CVSS:0.0) (Last Update:2022-05-01)
See 10 more articles and social media posts