rubysec · postmodern · Jan 8, 2023 · Jan 8, 2023
diff --git a/gems/git/CVE-2022-46648.yml b/gems/git/CVE-2022-46648.yml
@@ -0,0 +1,24 @@
+---
+gem: git
+cve: 2022-46648
+url: https://github.com/ruby-git/ruby-git/pull/602
+title: Potential remote code execution in ruby-git
+date: 2023-01-05
+description: |
+  The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output
+  of the 'git ls-files' command using eval() to unescape quoted file names.
+  If a file name was added to the git repository contained special characters,
+  such as '\n', then the 'git ls-files' command would print the file name in
+  quotes and escape any special characters.
+  If the 'Git#ls_files' method encountered a quoted file name it would use
+  eval() to unquote and unescape any special characters, leading to potential
+  remote code execution. Version 1.13.0 of the git gem was released which
+  correctly parses any quoted file names.
+cvss_v3: 5.5
+patched_versions:
+  - '>= 1.13.0'
+unaffected_versions:
+  - '< 1.2.0'
+related:
+  url:
+    - https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0