CVE-2022-25865

Published: 13/05/2022 Updated: 08/08/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The package workspace-tools prior to 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Vulnerable Product	Search on Vulmon	Subscribe to Product
microsoft workspace-tools

Run POC to patch lower versions of workspace-tools

POC-workspace-tools Do a POC to patch lower versions of workspace-tools Background information nvdnistgov/vuln/detail/CVE-2022-25865 CVSS: 98 Critical Vulnerable Environment: OS: Ubuntu 18046 LTS npm: 8110 nodejs: v16142 workspace-tools@0162 Patch Recommendation: Upgrade to v0184 The Dilemma and POC !!! Developers using workspace-tools@0162 might not wan

CWE-88 https://github.com/microsoft/workspace-tools/pull/103 https://snyk.io/vuln/SNYK-JS-WORKSPACETOOLS-2421201 https://github.com/microsoft/workspace-tools/commit/9bc7e65ce497f87e1f363fd47b8f802f3d3cd978 https://nvd.nist.gov https://github.com/martinthong125/POC-workspace-tools

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-25865

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect