GHSA-3xpw-vhmv-cw7h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3xpw-vhmv-cw7h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-3xpw-vhmv-cw7h/GHSA-3xpw-vhmv-cw7h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3xpw-vhmv-cw7h
- Aliases
- Published
- 2022-04-26T00:00:35Z
- Modified
- 2025-01-08T14:12:20.850272Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Command injection in czproject/git-php
- Details
-
The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
- Database specific
{ "nvd_published_at": "2022-04-25T17:15:00Z", "github_reviewed_at": "2022-04-27T14:35:56Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-74", "CWE-77" ] }- References
Affected packages
Packagist / czproject/git-php
Package
- Name
- czproject/git-php
- Purl
- pkg:composer/czproject/git-php
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.0.3
Affected versions
v1.*
v1.0.0
v1.0.1
v1.0.2
v2.*
v2.0.0
v3.*
v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.7.0
v3.8.0
v3.9.0-RC1
v3.9.0
v3.9.1
v3.11.0
v3.12.0
v3.13.0
v3.13.1
v3.14.0
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.18.0
v3.18.1
v3.18.2
3.*
3.10.0
v4.*
v4.0.0
v4.0.1
v4.0.2