VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-21we-9azk-9bhk

Essentials
Severities (31)
References (16)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-21we-9azk-9bhk
Aliases	CVE-2022-46648 GHSA-pfpr-3463-c6jh GMS-2023-9
Summary	Potential remote code execution in ruby-git The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the 'git ls-files' command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as '\n', then the 'git ls-files' command would print the file name in quotes and escape any special characters. If the 'Git#ls_files' method encountered a quoted file name it would use eval() to unquote and unescape any special characters, leading to potential remote code execution. Version 1.13.0 of the git gem was released which correctly parses any quoted file names.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

System	Score	Found at
cvssv3	8.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46648.json
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
epss	0.01975	https://api.first.org/data/v1/epss?cve=CVE-2022-46648
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-pfpr-3463-c6jh
cvssv3.1	8	https://github.com/ruby-git/ruby-git
cvssv3.1	8.0	https://github.com/ruby-git/ruby-git
generic_textual	HIGH	https://github.com/ruby-git/ruby-git
ssvc	Track	https://github.com/ruby-git/ruby-git
cvssv3	5.5	https://github.com/ruby-git/ruby-git/pull/602
cvssv3.1	8	https://github.com/ruby-git/ruby-git/pull/602
cvssv3.1	8.0	https://github.com/ruby-git/ruby-git/pull/602
generic_textual	HIGH	https://github.com/ruby-git/ruby-git/pull/602
ssvc	Track	https://github.com/ruby-git/ruby-git/pull/602
cvssv3.1	8.0	https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
generic_textual	HIGH	https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
cvssv3.1	8.0	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml
cvssv3.1	8	https://jvn.jp/en/jp/JVN16765254/index.html
cvssv3.1	8.0	https://jvn.jp/en/jp/JVN16765254/index.html
generic_textual	HIGH	https://jvn.jp/en/jp/JVN16765254/index.html
ssvc	Track	https://jvn.jp/en/jp/JVN16765254/index.html
cvssv3.1	8	https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
cvssv3.1	8.0	https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
cvssv3.1	8.0	https://nvd.nist.gov/vuln/detail/CVE-2022-46648
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-46648

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46648.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-46648
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46648
		https://github.com/ruby-git/ruby-git
		https://github.com/ruby-git/ruby-git/pull/602
		https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml
		https://jvn.jp/en/jp/JVN16765254/index.html
		https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
		https://nvd.nist.gov/vuln/detail/CVE-2022-46648
2169385		https://bugzilla.redhat.com/show_bug.cgi?id=2169385
GHSA-pfpr-3463-c6jh		https://github.com/advisories/GHSA-pfpr-3463-c6jh
RHSA-2023:5931		https://access.redhat.com/errata/RHSA-2023:5931
RHSA-2023:5979		https://access.redhat.com/errata/RHSA-2023:5979
RHSA-2023:5980		https://access.redhat.com/errata/RHSA-2023:5980
RHSA-2023:6818		https://access.redhat.com/errata/RHSA-2023:6818

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-46648.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/ruby-git/ruby-git

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/ruby-git/ruby-git

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-04T18:51:53Z/ Found at https://github.com/ruby-git/ruby-git

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/ruby-git/ruby-git/pull/602

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/ruby-git/ruby-git/pull/602

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-04T18:51:53Z/ Found at https://github.com/ruby-git/ruby-git/pull/602

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://jvn.jp/en/jp/JVN16765254/index.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://jvn.jp/en/jp/JVN16765254/index.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-04T18:51:53Z/ Found at https://jvn.jp/en/jp/JVN16765254/index.html

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-04T18:51:53Z/ Found at https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-46648

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.83877
EPSS Score	0.01975
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:14:53.582286+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml	38.6.0