Ruby/git/1.3.0


The git gem provides an API that can be used to create, read, and manipulate Git repositories by wrapping system calls to the git command line. The API can be used for working with Git in complex interactions including branching and merging, object inspection and manipulation, history, patch generation and more.

https://rubygems.org/gems/git
MIT

6 Security Vulnerabilities

Command injection in ruby-git

Published date: 2022-04-20T00:00:33Z
CVE: CVE-2022-25648
Links:

The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way such that additional flags can be set. The additional flags can be used to perform a command injection.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.10.0", "1.10.1", "1.10.2"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

ruby-git has potential remote code execution vulnerability

Published date: 2023-01-09T21:55:14Z
CVE: CVE-2022-46648
Links:

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the git ls-files command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as \n, then the git ls-files command would print the file name in quotes and escape any special characters. If the Git#ls_files method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.12.0"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

Code injection in ruby git

Published date: 2023-01-17T12:30:33Z
CVE: CVE-2022-47318
Links:

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.12.0"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

Command injection in ruby-git

Published date: 2022-04-20
CVE: 2022-25648
CVSS V3: 9.8
Links:

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.10.0", "1.10.1", "1.10.2"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

Potential remote code execution in ruby-git

Published date: 2023-01-05
CVE: 2022-46648
CVSS V3: 5.5
Links:

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.12.0"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

Code injection in ruby git

Published date: 2023-01-17
CVE: 2022-47318
CVSS V3: 8.0
Links:

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

Affected versions: ["1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.6.0.pre1", "1.5.0", "1.4.0", "1.3.0", "1.2.9.1", "1.2.9", "1.2.8", "1.2.7", "1.2.6", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.12.0"]
Secure versions: [1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.19.1, 2.0.0.pre1, 2.0.0.pre2, 2.0.0.pre3]
Recommendation: Update to version 1.19.1.

47 Other Versions

Version License Security Released
2.0.0.pre3 MIT 2024-03-15 - 20:39 13 days
2.0.0.pre2 MIT 2024-02-24 - 18:02 about 1 month
2.0.0.pre1 MIT 2024-01-15 - 23:08 2 months
1.19.1 MIT 2024-01-13 - 23:41 3 months
1.19.0 MIT 2023-12-29 - 06:18 3 months
1.18.0 MIT 2023-03-19 - 16:55 about 1 year
1.17.2 MIT 2023-03-07 - 17:23 about 1 year
1.17.1 MIT 2023-03-06 - 16:32 about 1 year
1.17.0 MIT 2023-03-06 - 01:18 about 1 year
1.16.0 MIT 2023-03-04 - 00:55 about 1 year
1.15.0 MIT 2023-03-01 - 21:36 about 1 year
1.14.0 MIT 2023-02-26 - 15:32 about 1 year
1.13.2 MIT 2023-02-02 - 22:47 about 1 year
1.13.1 MIT 2023-01-12 - 22:00 about 1 year
1.13.0 MIT 2022-12-14 - 21:33 over 1 year
1.12.0 MIT 4 2022-08-18 - 17:47 over 1 year
1.11.0 MIT 4 2022-04-17 - 23:31 almost 2 years
1.10.2 MIT 6 2022-01-06 - 23:38 about 2 years
1.10.1 MIT 6 2022-01-03 - 21:16 about 2 years
1.10.0 MIT 6 2021-12-20 - 17:05 over 2 years
1.9.1 MIT 6 2021-07-07 - 16:50 over 2 years
1.9.0 MIT 6 2021-07-06 - 19:51 over 2 years
1.8.1 MIT 6 2020-12-31 - 21:03 about 3 years
1.8.0 MIT 6 2020-12-31 - 18:42 about 3 years
1.7.0 MIT 6 2020-04-25 - 21:46 almost 4 years
1.6.0 MIT 6 2020-02-02 - 16:13 about 4 years
1.6.0.pre1 MIT 6 2020-01-20 - 20:50 about 4 years
1.5.0 MIT 6 2018-08-10 - 07:58 over 5 years
1.4.0 MIT 6 2018-05-16 - 06:50 almost 6 years
1.3.0 MIT 6 2016-02-25 - 22:21 about 8 years
1.2.9.1 MIT 6 2015-01-14 - 03:16 about 9 years
1.2.9 MIT 6 2015-01-12 - 19:53 about 9 years
1.2.8 MIT 6 2014-07-31 - 20:03 over 9 years
1.2.7 MIT 6 2014-06-09 - 20:08 almost 10 years
1.2.6 MIT 6 2013-08-18 - 00:56 over 10 years
1.2.5 UNKNOWN 6 2009-10-17 - 18:05 over 14 years
1.2.4 UNKNOWN 6 2009-10-02 - 09:51 over 14 years
1.2.3 UNKNOWN 6 2009-10-01 - 09:43 over 14 years
1.2.2 UNKNOWN 6 2009-08-02 - 11:07 over 14 years
1.2.1 UNKNOWN 6 2009-08-02 - 04:09 over 14 years
1.2.0 UNKNOWN 6 2009-08-05 - 00:19 over 14 years
1.1.1 UNKNOWN 4 2009-07-25 - 18:15 over 14 years
1.0.5 UNKNOWN 4 2009-07-25 - 18:15 over 14 years
1.0.4 UNKNOWN 4 2009-07-25 - 18:15 over 14 years
1.0.3 UNKNOWN 4 2009-07-25 - 18:15 over 14 years
1.0.2 UNKNOWN 4 2009-07-25 - 18:15 over 14 years
1.0.1 UNKNOWN 4 2009-07-25 - 18:15 over 14 years