CVE-2022-46648

NameCVE-2022-46648
Descriptionruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3303-1, ELA-784-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-git (PTS)jessie1.2.8-1vulnerable
stretch (lts), stretch1.2.8-1+deb9u1fixed
buster (security), buster, buster (lts)1.2.8-1+deb10u1fixed
bullseye1.7.0-1vulnerable
sid, trixie, bookworm1.13.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-gitsourcejessie(unfixed)end-of-life
ruby-gitsourcestretch1.2.8-1+deb9u1ELA-784-1
ruby-gitsourcebuster1.2.8-1+deb10u1DLA-3303-1
ruby-gitsource(unstable)1.13.1-1

Notes

[bullseye] - ruby-git <no-dsa> (Minor issue)
https://github.com/ruby-git/ruby-git/pull/602
https://github.com/ruby-git/ruby-git/commit/4fe8738e8348567255ab4be25867684b5d0d282d (v1.13.0)
Search for package or bug name: Reporting problems