Lucene search

PRIOn knowledge basePRION:CVE-2022-25648

HistoryApr 19, 2022 - 5:15 p.m.

Command injection

2022-04-1917:15:00

PRIOn knowledge base

www.prio-n.com

9.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.7%

JSON

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = ‘origin’, opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

CPENameOperatorVersion
debian_linuxeq10.0
extra_packages_for_enterprise_linuxeq8.0
fedoraeq34
fedoraeq35
fedoraeq36
gitlt1.11.0

Name	Operator	Version
debian_linux	eq	10.0
extra_packages_for_enterprise_linux	eq	8.0
fedora	eq	34
fedora	eq	35
fedora	eq	36
git	lt	1.11.0

References

github.com/ruby-git/ruby-git/pull/569

github.com/ruby-git/ruby-git/releases/tag/v1.11.0

lists.debian.org/debian-lts-announce/2023/01/msg00043.html

lists.fedoraproject.org/archives/list/[email protected]/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/

lists.fedoraproject.org/archives/list/[email protected]/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/

lists.fedoraproject.org/archives/list/[email protected]/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/

snyk.io/vuln/SNYK-RUBY-GIT-2421270