Bug 2169385 (CVE-2022-46648) - CVE-2022-46648 ruby-git: code injection vulnerability
Summary: CVE-2022-46648 ruby-git: code injection vulnerability
Keywords:
Status: NEW
Alias: CVE-2022-46648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2169386 2169387 2169388 2242361 2242362 2242364
Blocks: 2158318
TreeView+ depends on / blocked
 
Reported: 2023-02-13 13:42 UTC by ybuenos
Modified: 2023-11-08 14:17 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ruby-git package, which allows a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection flaw. An attacker can execute arbitrary code on the system by using a specially-crafted filename in the repository.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5931 0 None None None 2023-10-19 13:13:08 UTC
Red Hat Product Errata RHSA-2023:5979 0 None None None 2023-10-20 18:43:20 UTC
Red Hat Product Errata RHSA-2023:5980 0 None None None 2023-10-20 18:44:01 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:17:17 UTC

Description ybuenos 2023-02-13 13:42:39 UTC
ruby-git is a Ruby library that can be used to create, read and operate Git repositories. ruby-git contains multiple code injection vulnerabilities. If a repository containing a specially crafted filename is loaded to the product, an arbitrary ruby code may be executed.

Comment 1 ybuenos 2023-02-13 13:42:58 UTC
Created rubygem-git tracking bugs for this issue:

Affects: epel-8 [bug 2169386]
Affects: fedora-36 [bug 2169387]

Comment 7 errata-xmlrpc 2023-10-19 13:13:07 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931

Comment 8 errata-xmlrpc 2023-10-20 18:43:18 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5979

Comment 9 errata-xmlrpc 2023-10-20 18:44:00 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2023:5980 https://access.redhat.com/errata/RHSA-2023:5980

Comment 10 errata-xmlrpc 2023-11-08 14:17:16 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818


Note You need to log in before you can comment on or make changes to this bug.