CVE-2022-42906
Severity CVSS v4.0:
Pending analysis
Type:
CWE-77
Command Injection
Publication date:
13/10/2022
Last modified:
15/05/2025
Description
powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:powerline_gitstatus_project:powerline_gitstatus:*:*:*:*:*:*:*:* | 1.3.2 (excluding) | |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/jaspernbrouwer/powerline-gitstatus/issues/45
- https://github.com/jaspernbrouwer/powerline-gitstatus/releases/tag/v1.3.2
- https://lists.debian.org/debian-lts-announce/2023/01/msg00017.html
- https://github.com/jaspernbrouwer/powerline-gitstatus/issues/45
- https://github.com/jaspernbrouwer/powerline-gitstatus/releases/tag/v1.3.2
- https://lists.debian.org/debian-lts-announce/2023/01/msg00017.html