Fluid Attacks Database

Description

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	ruby-git	>=0 <1.13.1-1	1.13.1-1
debian 11	ruby-git	=1.7.0-1 \|\| >=0 <1.7.0-1+deb11u1	1.7.0-1+deb11u1
debian 12	ruby-git	>=0 <1.13.1-1	1.13.1-1
debian 14	ruby-git	>=0 <1.13.1-1	1.13.1-1
rubygems	git	>=1.2.0 <1.13.0	1.13.0

Aliases

1. CVE-2022-466482. NVD-2022-466483. OSV-DEBIAN-2022-466484. OSV-2022-466485. GCVE-2022-466486. SECURITY-TRACKER-CVE-2022-466487. lists.debian.org

References

1. https://github.com/ruby-git/ruby-git/pull/6022. https://github.com/ruby-git/ruby-git/releases/tag/v1.13.03. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml4. https://jvn.jp/en/jp/JVN16765254/index.html