CVE-2022-46648 – git

Package

Manager: gem
Name: git
Vulnerable Version: >=1.2.0 <1.13.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01766 pctl0.81901

Details

ruby-git has potential remote code execution vulnerability The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the `git ls-files` command using `eval()` to unescape quoted file names. If a file name was added to the git repository contained special characters, such as `\n`, then the `git ls-files` command would print the file name in quotes and escape any special characters. If the `Git#ls_files` method encountered a quoted file name it would use `eval()` to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

Metadata

Created: 2023-01-09T21:55:14Z
Modified: 2025-04-04T21:59:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-pfpr-3463-c6jh/GHSA-pfpr-3463-c6jh.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-pfpr-3463-c6jh
Finding: F422
Auto approve: 1