git 1.9.0

3 security vulnerabilities found in version 1.9.0

Command injection in ruby-git

critical severity CVE-2022-25648
critical severity CVE-2022-25648
Patched versions: >= 1.11.0

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Code injection in ruby git

high severity CVE-2022-47318
high severity CVE-2022-47318
Patched versions: >= 1.13.0

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

Potential remote code execution in ruby-git

medium severity CVE-2022-46648
medium severity CVE-2022-46648
Patched versions: >= 1.13.0
Unaffected versions: < 1.2.0

The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.