Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affecting org.webjars.npm:simple-git package, versions [,3.14.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-2434820
- published 29 Mar 2022
- disclosed 28 Mar 2022
- credit Liran Tal of Snyk
How to fix?
org.webjars.npm:simple-git to version 3.14.0 or higher.
org.webjars.npm:simple-git is an A light weight interface for running git commands in any node.js application.
Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') due to an incomplete fix of CVE-2022-24433 which only patches against the
git fetch attack vector.
A similar use of the
--upload-pack feature of git is also supported for git clone, which the prior fix didn't cover.
const simpleGit = require('simple-git') const git2 = simpleGit() git2.clone('file:///tmp/zero123', '/tmp/example-new-repo', ['--upload-pack=touch /tmp/pwn']);