#VU89616 Improper Neutralization of Argument Delimiters in a Command in Simple Git - CVE-2022-24066

Cybersecurity Help s.r.o.

Published: 2024-05-17

Vulnerability identifier: #VU89616

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-24066

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Simple Git
Web applications / Modules and components for CMS

Vendor: Steve King

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an incomplete fix of [CVE-2022-24433] which only patches against the git fetch attack vector. A remote unauthenticated attacker can trigger the vulnerability and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Simple Git: before 3.5.0

External links
https://gist.github.com/lirantal/a930d902294b833514e821102316426b
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2434820
https://github.com/steveukx/git-js/commit/2040de601c894363050fef9f28af367b169a56c5
https://snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM i Modernization Engine for Lifecycle Integration