VulnerableCode Package Details - pkg:gem/git@1.13.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-21we-9azk-9bhk	Potential remote code execution in ruby-git The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.	CVE-2022-46648 GHSA-pfpr-3463-c6jh GMS-2023-9
VCID-56kh-cvav-7ua2	Improper Control of Generation of Code ('Code Injection') ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.	CVE-2022-47318 GHSA-pphf-gfrm-v32r

Vulnerability

Summary

Aliases

VCID-21we-9azk-9bhk

Potential remote code execution in ruby-git The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.

CVE-2022-46648
GHSA-pfpr-3463-c6jh
GMS-2023-9

VCID-56kh-cvav-7ua2

Improper Control of Generation of Code ('Code Injection') ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

CVE-2022-47318
GHSA-pphf-gfrm-v32r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:48:16.500957+00:00	GHSA Importer	Fixing	VCID-56kh-cvav-7ua2	https://github.com/advisories/GHSA-pphf-gfrm-v32r	38.6.0
2026-06-07T20:48:13.758028+00:00	GHSA Importer	Fixing	VCID-21we-9azk-9bhk	https://github.com/advisories/GHSA-pfpr-3463-c6jh	38.6.0
2026-06-05T17:14:01.259578+00:00	GitLab Importer	Fixing	VCID-21we-9azk-9bhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/git/CVE-2022-46648.yml	38.6.0
2026-06-04T17:17:03.498713+00:00	GithubOSV Importer	Fixing	VCID-21we-9azk-9bhk	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-pfpr-3463-c6jh/GHSA-pfpr-3463-c6jh.json	38.6.0
2026-06-04T17:17:02.341304+00:00	GithubOSV Importer	Fixing	VCID-56kh-cvav-7ua2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-pphf-gfrm-v32r/GHSA-pphf-gfrm-v32r.json	38.6.0
2026-06-02T04:43:46.586316+00:00	GitLab Importer	Fixing	VCID-56kh-cvav-7ua2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/git/CVE-2022-47318.yml	38.6.0