CVE-2022-25648
published 2022-04-19CVE-2022-25648: The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.61%
90.5th percentile
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ruby-git | < ruby-git 1.13.1-1 (bookworm) | ruby-git 1.13.1-1 (bookworm) |
| fedoraproject | extra_packages_for_enterprise_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| git | git | < 1.11.0 | 1.11.0 |
| git | git | >= 0 < 1.11.0 | 1.11.0 |
| git | git | >= unspecified < 1.11.0 | 1.11.0 |
| ruby-git | ruby-git | >= 0 < 1.7.0-1+deb11u1 | 1.7.0-1+deb11u1 |
| ruby-git | ruby-git | >= 0 < 1.13.1-1 | 1.13.1-1 |
| ruby-git | ruby-git | >= 0 < 1.13.1-1 | 1.13.1-1 |
| ruby-git | ruby-git | >= 0 < 1.13.1-1 | 1.13.1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Command injection occurs when the `remote` parameter of the `fetch(remote = 'origin', opts = {})` function is passed unsanitized to the `git fetch` subcommand, allowing injection of additional git flags. ↗
- →Monitor for invocations of `git fetch` with unexpected flag-like arguments (e.g., strings beginning with `-`) supplied as the remote parameter, which may indicate exploitation of this argument injection vulnerability. ↗
- ·Only ruby-git (gem `git`) versions before 1.11.0 are vulnerable; upgrade to 1.11.0 or later to remediate. ↗
- ·Red Hat Satellite 10 ships the vulnerable ruby-git code but does not actively use the affected dependency within the product, reducing practical exploitability in that context. ↗
- ·Debian fixed versions differ by release: bullseye fixed in 1.7.0-1+deb11u1; bookworm/sid/trixie/forky fixed in 1.13.1-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Command injection in ruby-git
ghsa·2022-04-20
CVE-2022-25648 [CRITICAL] CWE-88 Command injection in ruby-git
Command injection in ruby-git
The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the `fetch(remote = 'origin', opts = {})` function, the remote parameter is passed to the `git fetch` subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.
OSV
Command injection in ruby-git
osv·2022-04-20
CVE-2022-25648 [CRITICAL] Command injection in ruby-git
Command injection in ruby-git
The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the `fetch(remote = 'origin', opts = {})` function, the remote parameter is passed to the `git fetch` subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.
OSV
CVE-2022-25648: The package git before 1
osv·2022-04-19·CVSS 9.8
CVE-2022-25648 [CRITICAL] CVE-2022-25648: The package git before 1
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Red Hat
ruby-git: package vulnerable to Command Injection via git argument injection
vendor_redhat·2022-04-13·CVSS 8.1
CVE-2022-25648 [HIGH] CWE-88 ruby-git: package vulnerable to Command Injection via git argument injection
ruby-git: package vulnerable to Command Injection via git argument injection
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
A flaw was found in ruby-git, where the package is vulnerable to command injection via the git argument. This flaw allows an attacker to set additional flags, which leads to performing command injections.
Statement: Red Hat Satellite 10 is marked as affected, as it is shipping the vulnerable code. However, the dependency is not used within the product as such, so the impact is considered as mo
Debian
CVE-2022-25648: ruby-git - The package git before 1.11.0 are vulnerable to Command Injection via git argume...
vendor_debian·2022·CVSS 8.1
CVE-2022-25648 [HIGH] CVE-2022-25648: ruby-git - The package git before 1.11.0 are vulnerable to Command Injection via git argume...
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Scope: local
bookworm: resolved (fixed in 1.13.1-1)
bullseye: resolved (fixed in 1.7.0-1+deb11u1)
forky: resolved (fixed in 1.13.1-1)
sid: resolved (fixed in 1.13.1-1)
trixie: resolved (fixed in 1.13.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ruby-git/ruby-git/pull/569https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0https://lists.debian.org/debian-lts-announce/2023/01/msg00043.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/https://snyk.io/vuln/SNYK-RUBY-GIT-2421270https://github.com/ruby-git/ruby-git/pull/569https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0https://lists.debian.org/debian-lts-announce/2023/01/msg00043.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
2022-04-19
Published