CVE-2022-47318: 
Ruby vulnerability analysis and mitigation

CVE-2022-47318 affects ruby-git versions prior to v1.13.0. The vulnerability allows a remote authenticated attacker to execute arbitrary Ruby code by having a user load a repository containing a specially crafted filename to the product. This vulnerability was discovered in December 2022 and was publicly disclosed on January 5, 2023 (JVN Report). The vulnerability is distinct from CVE-2022-46648, which was reported in the same timeframe.

The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD). The issue stems from improper handling of file paths in the ls-files functionality, where the code previously used eval for unescaping paths, leading to potential code injection (GitHub PR).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary Ruby code with the privileges of the application running the ruby-git library. This could lead to unauthorized access, data manipulation, or system compromise depending on the context in which the library is being used (JVN Report).

The recommended mitigation is to update ruby-git to version 1.13.0 or later. The fix was implemented by replacing the eval-based path unescaping with a more secure Git::EscapedPath mechanism (GitHub PR). Various Linux distributions have also released security updates, including Debian with version 1.2.8-1+deb10u1 (Debian Advisory) and Fedora 37 with version 1.13.0-1.fc37 (Fedora Update).