CVE-2022-46648.yml

---
gem: git
cve: 2022-46648
ghsa: pfpr-3463-c6jh
url: https://github.com/ruby-git/ruby-git/pull/602
title: Potential remote code execution in ruby-git
date: 2023-01-05
description: |
  The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output
  of the 'git ls-files' command using eval() to unescape quoted file names.
  If a file name was added to the git repository contained special characters,
  such as '\n', then the 'git ls-files' command would print the file name in
  quotes and escape any special characters.
  If the 'Git#ls_files' method encountered a quoted file name it would use
  eval() to unquote and unescape any special characters, leading to potential
  remote code execution. Version 1.13.0 of the git gem was released which
  correctly parses any quoted file names.
cvss_v3: 5.5
unaffected_versions:
  - "< 1.2.0"
patched_versions:
  - ">= 1.13.0"
related:
  url:
    - https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0