{
  "threat_severity" : "Critical",
  "public_date" : "2022-04-13T00:00:00Z",
  "bugzilla" : {
    "description" : "ruby-git: package vulnerable to Command Injection via git argument injection",
    "id" : "2076843",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2076843"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-88",
  "details" : [ "The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.", "A flaw was found in ruby-git, where the package is vulnerable to command injection via the git argument. This flaw allows an attacker to set additional flags, which leads to performing command injections." ],
  "statement" : "Red Hat Satellite 10 is marked as affected, as it is shipping the vulnerable code. However, the dependency is not used within the product as such, so the impact is considered as moderate. Other Red Hat Satellite versions are not delivering this dependency, so they are not vulnerable or affected at all.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.12 for RHEL 8",
    "release_date" : "2022-11-16T00:00:00Z",
    "advisory" : "RHSA-2022:8506",
    "cpe" : "cpe:/a:redhat:satellite:6.12::el8",
    "package" : "tfm-rubygem-git-0:1.11.0-1.el8sat",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-25648\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25648\nhttps://snyk.io/vuln/SNYK-RUBY-GIT-2421270" ],
  "name" : "CVE-2022-25648",
  "csaw" : false
}