CVE-2022-25766

Published: 21/03/2022 Updated: 08/08/2023

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

The package ungit prior to 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ungit project ungit

📖 The extended libraries for CodeQL and CVEs CodeQL modeling.

CodeQL Extended Libraries The extended libraries for CodeQL and CVEs CodeQL modeling Extended libraries Name Language Category CWE Summary Notes Done? ExtendedCommandInjection Javascript Command Injection CWE-078 ✔️ CVEs CodeQL modeling CVE Title Refs Found by CodeQL modeling by CVE-2022-25766 Remote Code Execution (RCE) in Ungit 1 Alessio Della Libera o

CWE-88 https://github.com/FredrikNoren/ungit/pull/1510 https://snyk.io/vuln/SNYK-JS-UNGIT-2414099 https://github.com/FredrikNoren/ungit/blob/master/CHANGELOG.md%231520 https://nvd.nist.gov https://github.com/vovikhangcdv/codeql-extended-libraries

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-25766

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect