CVE-2022-47318
Description
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-47318 is a code injection vulnerability in ruby-git prior to v1.13.0 allowing authenticated remote attackers to execute arbitrary Ruby code via a crafted filename.
The vulnerability resides in ruby-git, a Ruby library for interacting with Git repositories. Versions prior to v1.13.0 contain a code injection flaw (CWE-94) where specially crafted filenames in a repository can lead to arbitrary Ruby code execution when the repository is loaded by the library [2][3].
Exploitation requires an authenticated remote attacker to convince a user to load a repository containing a malicious filename. The attacker must have the ability to create or modify filenames in a repository that the victim will then process using ruby-git. The attack vector is network-based, with low complexity, but requires user interaction and low privileges [3].
Successful exploitation allows the attacker to execute arbitrary Ruby code in the context of the user running ruby-git. This could lead to unauthorized access, data manipulation, or further compromise of the system. The CVSS v3 score is 6.3 (Medium) per JPCERT/CC [3].
The issue is fixed in ruby-git version 1.13.0. Users are advised to update to the latest version. This vulnerability is distinct from CVE-2022-46648, another code injection issue in the same library [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gitRubyGems | < 1.13.0 | 1.13.0 |
Affected products
2- ruby-git/ruby-gitv5Range: versions prior to v1.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-pphf-gfrm-v32rghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4K/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-47318ghsaADVISORY
- github.com/ruby-git/ruby-git/pull/602ghsaWEB
- jvn.jp/en/jp/JVN16765254/index.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00043.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KPFLSZPUM7APWVBRM5DCAY5OUVQBF4KghsaWEB
News mentions
0No linked articles in our index yet.