GSA_kwCzR0hTQS02OXA2LXd2bXEtMjdnZ809lg

Critical EPSS: 0.01709% (0.81561 Percentile) EPSS:

Permalink JSON

Command injection in ruby-git

Affected Packages	Affected Versions	Fixed Versions
rubygems:git PURL: `pkg:gem/git`	< 1.11.0	1.11.0
820 Dependent packages 19,860 Dependent repositories 173,226,710 Downloads total Affected Version Ranges All affected versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2 All unaffected versions 1.11.0, 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.0.2, 4.0.4, 4.0.5

The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.

References:

Identifiers

GHSA-69p6-wvmq-27gg

CVE-2022-25648

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.01709

EPSS Percentile: 0.81561

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ruby-git/ruby-git

Date and time

Published

over 3 years ago

Updated

about 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories