CVE-2022-46648

Name of the Vulnerable Software and Affected Versions ruby-git versions prior to v1.13.0

Description The issue is related to incorrect code generation management in the Ruby/Git library, allowing a remote authenticated attacker to execute arbitrary Ruby code. This can be achieved by having a user load a repository containing a specially crafted filename. The vulnerability is exploited through the incorrect parsing of the output of the git ls-files command, which uses eval() to unescape quoted file names. If a file name contains special characters, such as , the git ls-files command prints the file name in quotes and escapes any special characters, potentially leading to remote code execution.

Recommendations For versions prior to v1.13.0, update to version 1.13.0 or later, which correctly parses any quoted file names. As a temporary workaround, consider restricting the use of the Git#ls files method until a patch is available. Avoid using the eval() function to unquote and unescape special characters in file names.