CVE-2022-25648

moderate-risk
Published 2022-04-19

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Do I need to act?

~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (6)

Git

Affected Vendors

Debian Fedoraproject Git

References (14)

Issue Tracking https://github.com/ruby-git/ruby-git/pull/569
Release Notes https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Exploit https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
Issue Tracking https://github.com/ruby-git/ruby-git/pull/569
Release Notes https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0
Mailing List https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Exploit https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
44
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 7/34 · Low
Exposure 13/34 · Low