{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-25912","assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","assignerShortName":"snyk","datePublished":"2022-12-12T01:49:10.008Z","dateUpdated":"2025-04-22T20:15:14.996Z","dateReserved":"2022-02-24T00:00:00.000Z"},"containers":{"cna":{"title":"Remote Code Execution (RCE)","datePublic":"2022-12-06T00:00:00.000Z","providerMetadata":{"orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk","dateUpdated":"2022-12-06T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306)."}],"affected":[{"vendor":"n/a","product":"simple-git","versions":[{"version":"unspecified","lessThan":"3.15.0","status":"affected","versionType":"custom"}]}],"references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221"},{"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532"},{"url":"https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504"},{"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0"},{"url":"https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols"}],"credits":[{"lang":"en","value":"Sam Wheating"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","exploitCodeMaturity":"PROOF_OF_CONCEPT","remediationLevel":"NOT_DEFINED","reportConfidence":"NOT_DEFINED","baseScore":8.1,"temporalScore":7.7,"baseSeverity":"HIGH","temporalSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"text","lang":"en","description":"Remote Code Execution (RCE)"}]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T04:49:44.459Z"},"title":"CVE Program Container","references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221","tags":["x_transferred"]},{"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532","tags":["x_transferred"]},{"url":"https://github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504","tags":["x_transferred"]},{"url":"https://github.com/steveukx/git-js/releases/tag/simple-git%403.15.0","tags":["x_transferred"]},{"url":"https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols","tags":["x_transferred"]}]},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-78","lang":"en","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-22T20:14:53.034027Z","id":"CVE-2022-25912","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-22T20:15:14.996Z"}}]}}