CVE-2022-46648

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.
References
Link Resource
https://github.com/ruby-git/ruby-git/pull/602 Patch Third Party Advisory
https://github.com/ruby-git/ruby-git Product Third Party Advisory
https://jvn.jp/en/jp/JVN16765254/index.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html Mailing List Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-git_project:ruby-git:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Information

Published : 2023-01-17 02:15

Updated : 2023-02-02 10:45


NVD link : CVE-2022-46648

Mitre link : CVE-2022-46648


JSON object : View

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

ruby-git_project

  • ruby-git