GHSA-pfpr-3463-c6jh: ruby-git has potential remote code execution vulnerability

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-46648

ruby-git has potential remote code execution vulnerability

Moderate severity GitHub Reviewed Published Jan 9, 2023

Vulnerability details Dependabot alerts 0

Package

bundler git (RubyGems)

Affected versions

>= 1.2.0, < 1.13.0

Patched versions

1.13.0

Description

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the git ls-files command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as \n, then the git ls-files command would print the file name in quotes and escape any special characters. If the Git#ls_files method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

References

• ruby-git/ruby-git#602
• https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml

Severity

Moderate

Weaknesses

No CWEs

CVE ID

CVE-2022-46648

GHSA ID

GHSA-pfpr-3463-c6jh

Source code

ruby-git/ruby-git

Checking history

See something to contribute? Suggest improvements for this vulnerability.