SNYK-RUBY-GIT-2421270

SNYK-RUBY-GIT-2421270 PUBLISHED CVSS 8.100000381469727 HIGH

## Overview [git](https://rubygems.org/gems/git) is a Ruby library that can be used to create, read and manipulate Git repositories by wrapping system calls to the git binary. Affected versions of this package are vulnerable to Command Injection via git argument injection. When calling the `fetch(remote = 'origin', opts = {})` function, the `remote` parameter is passed to the `git fetch` subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. ## PoC ```ruby require "git" g = Git.init('project') origin = "--upload-pack=touch ./HELLO1;" g.fetch(origin, {:ref => 'some/ref/head'} ) # ls -la ``` ## Remediation Upgrade `git` to version 1.11.0 or higher. ## References - [GitHub PR](https://github.com/ruby-git/ruby-git/pull/569) - [GitHub Release](https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0)

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P

Affected Products

Vendor	Product	Versions
		0

Timeline

Mar 11, 2022 CVE Updated
Apr 19, 2022 CVE Published

References

https://security.snyk.io/vuln/SNYK-RUBY-GIT-2421270 advisory
https://learn.snyk.io/lesson/malicious-code-injection/ technical
https://rubygems.org/gems/git vendor
https://github.com/ruby-git/ruby-git/pull/569 patch
https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0 vendor

Open in Interactive Console →