CVE-2022-46648 - Remote Code Execution in ruby-git Before v1.13. Explained

CVE-2022-46648 is a critical vulnerability in the ruby-git library. If you’re using ruby-git versions earlier than v1.13., you could be at risk for arbitrary Ruby code execution. An authenticated attacker can exploit this by getting a user to load a repository crafted to contain a malicious filename. Let’s break down what happened, how it can be exploited, and how to stay safe. This vulnerability is not the same as CVE-2022-47318—they target different issues.

What is ruby-git?

ruby-git is a popular Ruby gem that provides an interface to Git repositories. Developers use it for things like browsing Git histories, automating version control tasks, and more. Many Ruby-based tools, apps, or scripts using Git might rely on ruby-git under the hood.

What’s Happening in CVE-2022-46648?

Essentially, ruby-git didn’t properly sanitize filenames fetched from a repository. If a repository contained a specially crafted filename, ruby-git could be tricked into executing Ruby code in that filename. This means a remote, authenticated attacker can compromise your system just by getting you to load their repo.

This is not a simple local file inclusion or path traversal; it’s straight-up code execution. If you clone or use a malicious repo with a vulnerable version of ruby-git, you can be in deep trouble—an attacker could run commands as your user.

How the Problem Occurred

Older versions of ruby-git would use eval and similar dangerous Ruby functions when handling filenames for certain operations, like logging or traversing files. If the attacker can create a filename containing Ruby code (e.g., evil.rb; system('calc') #), and convince your ruby-git script to process it, the attacker's code can run.

Attacker creates a malicious repo:

mkdir evil-repo && cd evil-repo
git init
echo "puts 'Hacked!'; system('ls /')" > "bad_file.rb'); system('touch HACKED_BY_EVIL'); #"
git add .
git commit -m "Add malicious file"

Attacker gets victim to load the repo using vulnerable ruby-git code:

require 'git'

# Assume user clones repo or loads it in some way:
g = Git.open("/path/to/evil-repo")
g.log.each do |commit|
  puts commit.message # This may trigger the dangerous code path
end

If the code path loads the filename unsafely, the line

system('touch HACKED_BY_EVIL')

will execute on the victim’s machine, demonstrating arbitrary command execution.

> Note: The exact code path may vary based on what functions in ruby-git are used—but the concept stands.

The Fix

The problem was fixed in ruby-git v1.13., which properly sanitizes filenames and does not evaluate them as Ruby code.

Upgrade your ruby-git to v1.13. or later as soon as possible.

gem install ruby-git -v '>= 1.13.'

Or in your Gemfile

gem 'ruby-git', '>= 1.13.'

Original Advisory and References

- GitHub Security Advisory GHSA-r59c-6whx-2mpx
- RubyGems Security Page
- ruby-git v1.13. Release Notes

How is This Different from CVE-2022-47318?

While both vulnerabilities are related to code execution in ruby-git, their root causes and code paths are different. CVE-2022-46648 is specifically about filename handling, whereas CVE-2022-47318 relates to another and separate code execution vector.

If you need more advice or want a deeper dive, check out

- Official CVE entry: CVE-2022-46648
- ruby-git on GitHub

Timeline

Published on: 01/17/2023 10:15:00 UTC
Last modified on: 02/02/2023 18:45:00 UTC