CVE-2022-25648
HIGHgit < 1.11.0 - Command Injection via fetch Remote Parameter
Title source: llmDescription
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
Issue Tracking, Patch
https://github.com/ruby-git/ruby-git/pull/569
Exploit, Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-RUBY-GIT-2421270
Scores
CVSS v3
8.1
EPSS
0.0461
EPSS Percentile
90.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-88
Status
published
Products (7)
debian/debian_linux
10.0
fedoraproject/extra_packages_for_enterprise_linux
8.0
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
git/git
< 1.11.0
rubygems/git
0 - 1.11.0RubyGems
Published
Apr 19, 2022
Tracked Since
Feb 18, 2026