{"id":"CVE-2022-25648","details":"The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.","aliases":["BIT-git-2022-25648","GHSA-69p6-wvmq-27gg"],"modified":"2026-04-16T04:31:15.587313882Z","published":"2022-04-19T17:15:11.333Z","related":["SNYK-RUBY-GIT-2421270"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNJA7WPE67LJ3DJMWZ2TADHCZKWMY55/"},{"type":"ADVISORY","url":"https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html"},{"type":"FIX","url":"https://github.com/ruby-git/ruby-git/pull/569"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-RUBY-GIT-2421270"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby-git/ruby-git","events":[{"introduced":"0"},{"fixed":"546bc038ff6604f8304fdeca738c2a7c20cbacc8"}]},{"type":"GIT","repo":"https://github.com/ruby-git/ruby-git","events":[{"introduced":"0"},{"fixed":"546bc038ff6604f8304fdeca738c2a7c20cbacc8"}]}],"versions":["1.0.3","1.0.5","1.0.5.1","v1.0.7","v1.10.0","v1.2.0","v1.2.1","v1.2.10","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.2.9.1","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.9.0","v1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25648.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"fixed":"1.11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}