CVE-2022-25866

HIGH

Git-php < 4.0.3 - Command Injection

Title source: rule

Description

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

References (3)

[Patch, Third Party Advisory] https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/czproject/git-php/releases/tag/v4.0.3

[Exploit, Patch, Third Party Advisory] https://snyk.io/vuln/SNYK-PHP-CZPROJECTGITPHP-2421349

Scores

CVSS v3 8.1

EPSS 0.0199

EPSS Percentile 83.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (2)

git-php_project/git-php < 4.0.3

czproject/git-php < 4.0.3Packagist

Timeline

Published Apr 25, 2022

Tracked Since Feb 18, 2026