Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wZnByLTM0NjMtYzZqaM4AAw1C

ruby-git has potential remote code execution vulnerability

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the git ls-files command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as \n, then the git ls-files command would print the file name in quotes and escape any special characters. If the Git#ls_files method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

Permalink: https://github.com/advisories/GHSA-pfpr-3463-c6jh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZnByLTM0NjMtYzZqaM4AAw1C
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago

CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-pfpr-3463-c6jh, CVE-2022-46648
References:

Repository: https://github.com/ruby-git/ruby-git
Blast Radius: 34.4

Affected Packages

rubygems:git

Dependent packages: 820
Dependent repositories: 19,860
Downloads: 141,624,221 total
Affected Version Ranges: >= 1.2.0, < 1.13.0
Fixed in: 1.13.0
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0
All unaffected versions: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.1, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2