Total
217 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25973 | 1 Mc-kill-port Project | 1 Mc-kill-port | 2024-02-28 | N/A | 7.8 HIGH |
| All versions of package mc-kill-port are vulnerable to Arbitrary Command Execution via the kill function, due to missing sanitization of the port argument. | |||||
| CVE-2022-3140 | 3 Debian, Fedoraproject, Libreoffice | 3 Debian Linux, Fedora, Libreoffice | 2024-02-28 | N/A | 6.3 MEDIUM |
| LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6. | |||||
| CVE-2022-42968 | 1 Gitea | 1 Gitea | 2024-02-28 | N/A | 9.8 CRITICAL |
| Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled. | |||||
| CVE-2022-1399 | 1 Device42 | 1 Cmdb | 2024-02-28 | N/A | 9.1 CRITICAL |
| An Argument Injection or Modification vulnerability in the "Change Secret" username field as used in the Discovery component of Device42 CMDB allows a local attacker to run arbitrary code on the appliance with root privileges. This issue affects: Device42 CMDB version 18.01.00 and prior versions. | |||||
| CVE-2022-25900 | 1 Git-clone Project | 1 Git-clone | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git. | |||||
| CVE-2022-45062 | 3 Debian, Fedoraproject, Xfce | 3 Debian Linux, Fedora, Xfce4-settings | 2024-02-28 | N/A | 9.8 CRITICAL |
| In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. | |||||
| CVE-2022-37005 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-02-28 | N/A | 7.5 HIGH |
| The Settings application has an argument injection vulnerability. Successful exploitation of this vulnerability may affect data confidentiality. | |||||
| CVE-2019-10800 | 1 Codecov | 1 Codecov-python | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| This affects the package codecov before 2.0.16. The vulnerability occurs due to not sanitizing gcov arguments before being being provided to the popen method. | |||||
| CVE-2022-37027 | 1 Ahsay | 1 Cloud Backup Suite | 2024-02-28 | N/A | 7.2 HIGH |
| Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user. | |||||
| CVE-2022-36069 | 1 Python-poetry | 1 Poetry | 2024-02-28 | N/A | 7.3 HIGH |
| Poetry is a dependency manager for Python. When handling dependencies that come from a Git repository instead of a registry, Poetry uses various commands, such as `git clone`. These commands are constructed using user input (e.g. the repository URL). When building the commands, Poetry correctly avoids Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. If a developer is exploited, the attacker could steal credentials or persist their access. If the exploit happens on a server, the attackers could use their access to attack other internal systems. Since this vulnerability requires a fair amount of user interaction, it is not as dangerous as a remotely exploitable one. However, it still puts developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by vetting any Git or Poetry config files that might be present in the directory. Versions 1.1.9 and 1.2.0b1 contain patches for this issue. | |||||
| CVE-2022-24440 | 1 Cocoapods | 1 Cocoapods-downloader | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. | |||||
| CVE-2022-29972 | 1 Insightsoftware | 1 Magnitude Simba Amazon Redshift Odbc Driver | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbitrary code. | |||||
| CVE-2022-23915 | 1 Weblate | 1 Weblate | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| The package weblate from 0 and before 4.11.1 are vulnerable to Remote Code Execution (RCE) via argument injection when using git or mercurial repositories. Authenticated users, can change the behavior of the application in an unintended way, leading to command execution. | |||||
| CVE-2022-24433 | 1 Simple-git Project | 1 Simple-git | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package simple-git before 3.3.0 are vulnerable to Command Injection via argument injection. When calling the .fetch(remote, branch, handlerFn) function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options it was possible to get arbitrary command execution. | |||||
| CVE-2022-21187 | 1 Libvcs Project | 1 Libvcs | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the update_repo function (when using hg), the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution. | |||||
| CVE-2022-24376 | 1 Git-promise Project | 1 Git-promise | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue. | |||||
| CVE-2022-30240 | 1 Insightsoftware | 1 Magnitude Simba Amazon Redshift Jdbc Driver | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift JDBC Driver 1.2.40 through 1.2.55 may allow a local user to execute code. NOTE: this is different from CVE-2022-29972. | |||||
| CVE-2022-30239 | 1 Insightsoftware | 1 Magnitude Simba Amazon Athena Jdbc Driver | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Athena JDBC Driver 2.0.25 through 2.0.28 may allow a local user to execute code. NOTE: this is different from CVE-2022-29971. | |||||
| CVE-2022-21223 | 1 Cocoapods | 1 Cocoapods-downloader | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection. | |||||
| CVE-2022-25865 | 1 Microsoft | 1 Workspace-tools | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranch(remote: string, remoteBranch: string, cwd: string) function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. | |||||