CVE-2022-46648

Vulnerability

Analysis

CVE-2022-46648 is a code injection vulnerability (CWE-94) in the ruby-git library, a Ruby interface for Git repositories [1][3]. The flaw exists in versions prior to v1.13.0, where the library fails to properly sanitize file names when loading a repository. An attacker who can convince a user to load a repository containing a specially crafted filename can inject and execute arbitrary Ruby code in the context of the user's application [2][3]. This vulnerability is distinct from CVE-2022-47318, another code injection issue in the same library [2].

Attack

Vector

The attack requires that a remote authenticated attacker provides a repository containing a maliciously named file. The victim must then load this repository using the ruby-git library (e.g., via Git.open, Git.clone, or Git.init) [1]. The attack complexity is low, and the attacker needs network access and a valid user account; user interaction is required through the victim loading the repository. The CVSS v3 vector is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L, indicating a moderate severity [3].

Impact

Successful exploitation allows the attacker to execute arbitrary Ruby code with the privileges of the victim's application. This can lead to partial loss of confidentiality, integrity, and availability, as the attacker could read or modify data, or disrupt the application's operation [2][3].

Mitigation

The vulnerability is patched in ruby-git version 1.13.0 [4]. Users should update to this version or later to mitigate the risk. No workarounds are documented, making upgrading the recommended course of action [3][4].