Ruby/git/1.8.1
The git gem provides an API that can be used to create, read, and manipulate Git repositories by wrapping system calls to the git command line. The API can be used for working with Git in complex interactions including branching and merging, object inspection and manipulation, history, patch generation and more.
https://rubygems.org/gems/git
MIT
6 Security Vulnerabilities
Command injection in ruby-git
- https://nvd.nist.gov/vuln/detail/CVE-2022-25648
- https://github.com/ruby-git/ruby-git/pull/569
- https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0
- https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
- https://github.com/advisories/GHSA-69p6-wvmq-27gg
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-25648.yml
- https://github.com/ruby-git/ruby-git/commit/291ca0946bec7164b90ad5c572ac147f512c7159
The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {})
function, the remote parameter is passed to the git fetch
subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.
ruby-git has potential remote code execution vulnerability
- https://github.com/ruby-git/ruby-git/pull/602
- https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml
- https://github.com/advisories/GHSA-pfpr-3463-c6jh
- https://nvd.nist.gov/vuln/detail/CVE-2022-46648
- https://github.com/ruby-git/ruby-git
- https://jvn.jp/en/jp/JVN16765254/index.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the git ls-files
command using eval()
to unescape quoted file names. If a file name was added to the git repository contained special characters, such as \n
, then the git ls-files
command would print the file name in quotes and escape any special characters. If the Git#ls_files
method encountered a quoted file name it would use eval()
to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.
Code injection in ruby git
- https://nvd.nist.gov/vuln/detail/CVE-2022-47318
- https://github.com/ruby-git/ruby-git/pull/602
- https://github.com/ruby-git/ruby-git
- https://jvn.jp/en/jp/JVN16765254/index.html
- https://github.com/advisories/GHSA-pphf-gfrm-v32r
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/
- https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.
Command injection in ruby-git
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Potential remote code execution in ruby-git
The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.
Code injection in ruby git
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.
48 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.11.0 | MIT | 4 | 2022-04-17 - 23:31 | about 2 years |
1.12.0 | MIT | 4 | 2022-08-18 - 17:47 | over 1 year |
1.9.0 | MIT | 6 | 2021-07-06 - 19:51 | almost 3 years |
1.8.0 | MIT | 6 | 2020-12-31 - 18:42 | over 3 years |
1.9.1 | MIT | 6 | 2021-07-07 - 16:50 | almost 3 years |
1.6.0 | MIT | 6 | 2020-02-02 - 16:13 | over 4 years |
1.6.0.pre1 | MIT | 6 | 2020-01-20 - 20:50 | over 4 years |
1.5.0 | MIT | 6 | 2018-08-10 - 07:58 | almost 6 years |
1.8.1 | MIT | 6 | 2020-12-31 - 21:03 | over 3 years |
1.3.0 | MIT | 6 | 2016-02-25 - 22:21 | about 8 years |
1.2.9.1 | MIT | 6 | 2015-01-14 - 03:16 | over 9 years |
1.2.9 | MIT | 6 | 2015-01-12 - 19:53 | over 9 years |
1.2.8 | MIT | 6 | 2014-07-31 - 20:03 | almost 10 years |
1.2.7 | MIT | 6 | 2014-06-09 - 20:08 | almost 10 years |
1.7.0 | MIT | 6 | 2020-04-25 - 21:46 | about 4 years |
1.4.0 | MIT | 6 | 2018-05-16 - 06:50 | about 6 years |
1.2.4 | UNKNOWN | 6 | 2009-10-02 - 09:51 | over 14 years |
1.2.5 | UNKNOWN | 6 | 2009-10-17 - 18:05 | over 14 years |
1.2.2 | UNKNOWN | 6 | 2009-08-02 - 11:07 | almost 15 years |
1.2.3 | UNKNOWN | 6 | 2009-10-01 - 09:43 | over 14 years |
1.2.1 | UNKNOWN | 6 | 2009-08-02 - 04:09 | almost 15 years |
1.2.0 | UNKNOWN | 6 | 2009-08-05 - 00:19 | almost 15 years |
1.10.0 | MIT | 6 | 2021-12-20 - 17:05 | over 2 years |
1.10.1 | MIT | 6 | 2022-01-03 - 21:16 | over 2 years |
1.2.6 | MIT | 6 | 2013-08-18 - 00:56 | over 10 years |
1.10.2 | MIT | 6 | 2022-01-06 - 23:38 | over 2 years |
1.1.1 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.0.5 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.0.4 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.0.3 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.0.1 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.0.2 | UNKNOWN | 4 | 2009-07-25 - 18:15 | almost 15 years |
1.13.0 | MIT | 2022-12-14 - 21:33 | over 1 year | |
1.13.1 | MIT | 2023-01-12 - 22:00 | over 1 year | |
1.13.2 | MIT | 2023-02-02 - 22:47 | over 1 year | |
1.14.0 | MIT | 2023-02-26 - 15:32 | about 1 year | |
1.15.0 | MIT | 2023-03-01 - 21:36 | about 1 year | |
1.16.0 | MIT | 2023-03-04 - 00:55 | about 1 year | |
1.17.0 | MIT | 2023-03-06 - 01:18 | about 1 year | |
1.17.1 | MIT | 2023-03-06 - 16:32 | about 1 year | |
1.17.2 | MIT | 2023-03-07 - 17:23 | about 1 year | |
1.18.0 | MIT | 2023-03-19 - 16:55 | about 1 year | |
1.19.0 | MIT | 2023-12-29 - 06:18 | 5 months | |
1.19.1 | MIT | 2024-01-13 - 23:41 | 4 months | |
2.0.0.pre1 | MIT | 2024-01-15 - 23:08 | 4 months | |
2.0.0.pre2 | MIT | 2024-02-24 - 18:02 | 3 months | |
2.0.0.pre3 | MIT | 2024-03-15 - 20:39 | 2 months | |
2.0.0 | MIT | 2024-05-11 - 00:23 | 6 days |