CVE-2022-46648

Description

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the `git ls-files` command using `eval()` to unescape quoted file names. If a file name was added to the git repository contained special characters, such as `\n`, then the `git ls-files` command would print the file name in quotes and escape any special characters. If the `Git#ls_files` method encountered a quoted file name it would use `eval()` to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

How to fix CVE-2022-46648

To remediate CVE-2022-46648, upgrade the affected package to a fixed version below.

• —upgrade to 1.7.0-1+deb11u1 or later
• —upgrade to 1.13.0 or later

Is CVE-2022-46648 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.7.0-1+deb11u1
• >= 1.2.0, < 1.13.0

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-46648
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-46648
• PATCHgithub.com/ruby-git/ruby-git
• WEBgithub.com/ruby-git/ruby-git/pull/602
• WEB