git 1.2.0
Command injection in ruby-git
critical severity CVE-2022-25648>= 1.11.0
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Code injection in ruby git
high severity CVE-2022-47318>= 1.13.0
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.
Potential remote code execution in ruby-git
medium severity CVE-2022-46648>= 1.13.0
< 1.2.0
The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.