The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. https://snyk.io/vuln/SNYK-RUBY-GIT-2421270 https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0 https://github.com/ruby-git/ruby-git/pull/569
This should refer to the rubygem-git component in the title of the ticket and the Cc list. It's not, so far as I can tell, a bug in the git package. (It's a misleading and inaccurate that the snyk.io link refers to it as "git" without making it clear this is the rubygem git library.)
Created rubygem-git tracking bugs for this issue: Affects: epel-8 [bug 2077012] Affects: fedora-34 [bug 2077013] Affects: fedora-35 [bug 2077014]
After reviewing the CVSS, rescore was needed, making it as critical. As the flaw generally would require some permissions to exploit for most of the cases, the impact for most of the scenarios would kept as important, but it could be cases which the impact for the library in worst case can be considered critical. Due to the fact that only one of our Red Hat Satellite 10 is affected (we only ship code but do not use it), we anticipate a low or moderate impact there.
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-25648