Bug 2076843 (CVE-2022-25648) - CVE-2022-25648 ruby-git: package vulnerable to Command Injection via git argument injection
Summary: CVE-2022-25648 ruby-git: package vulnerable to Command Injection via git argu...
Alias: CVE-2022-25648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2077012 2077013 2077014 2088443
Blocks: 2076844
TreeView+ depends on / blocked
Reported: 2022-04-20 04:31 UTC by Sandipan Roy
Modified: 2022-12-07 09:32 UTC (History)
14 users (show)

Fixed In Version: ruby-git 1.11.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ruby-git, where the package is vulnerable to command injection via the git argument. This flaw allows an attacker to set additional flags, which leads to performing command injections.
Clone Of:
Last Closed: 2022-12-07 09:32:54 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8506 0 None None None 2022-11-16 13:32:16 UTC

Description Sandipan Roy 2022-04-20 04:31:36 UTC
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.


Comment 1 Todd Zullinger 2022-04-20 12:16:10 UTC
This should refer to the rubygem-git component in the title of the ticket and the Cc list.  It's not, so far as I can tell, a bug in the git package.  (It's a misleading and inaccurate that the snyk.io link refers to it as "git" without making it clear this is the rubygem git library.)

Comment 2 Sandipan Roy 2022-04-20 12:59:30 UTC
Created rubygem-git tracking bugs for this issue:

Affects: epel-8 [bug 2077012]
Affects: fedora-34 [bug 2077013]
Affects: fedora-35 [bug 2077014]

Comment 3 Borja Tarraso 2022-05-19 13:00:56 UTC
After reviewing the CVSS, rescore was needed, making it as critical.

As the flaw generally would require some permissions to exploit for most of the cases, the impact for most of the scenarios would kept as important, but it could be cases which the impact for the library in worst case can be considered critical.

Due to the fact that only one of our Red Hat Satellite 10 is affected (we only ship code but do not use it), we anticipate a low or moderate impact there.

Comment 9 errata-xmlrpc 2022-11-16 13:32:13 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506

Comment 10 Product Security DevOps Team 2022-12-07 09:32:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.