GHSA-pphf-gfrm-v32r

Source

https://github.com/advisories/GHSA-pphf-gfrm-v32r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-pphf-gfrm-v32r/GHSA-pphf-gfrm-v32r.json

Aliases

CVE-2022-47318

Published

2023-01-17T12:30:33Z

Modified

2024-02-19T05:28:03.923348Z

Details

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-47318
https://github.com/ruby-git/ruby-git/pull/602
https://github.com/ruby-git/ruby-git
https://jvn.jp/en/jp/JVN16765254/index.html
https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K

Affected packages

RubyGems / git

Package

Name: git

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.13.0

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.9.1

1.3.0

1.4.0

1.5.0

1.6.0.pre1

1.6.0

1.7.0

1.8.0

1.8.1

1.9.0

1.9.1

1.10.0

1.10.1

1.10.2

1.11.0

1.12.0