ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.
CVE-2022-46648
This high-severity CVE scores 8.0 under NVD CVSS v3. EPSS exploit probability: 2.0%, top 16% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 8.0
- EG Score
- 8.0(medium)
- EPSS
- 68.2%
- KEV
- Not listed
Published
January 17, 2023
Last Modified
April 4, 2025
References (8)
- vultures@jpcerthttps://github.com/ruby-git/ruby-git
- vultures@jpcerthttps://github.com/ruby-git/ruby-git/pull/602
- vultures@jpcerthttps://jvn.jp/en/jp/JVN16765254/index.html
- vultures@jpcerthttps://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
- af854a3a-2127-422b-91ae-364da2661108https://github.com/ruby-git/ruby-git
- af854a3a-2127-422b-91ae-364da2661108https://github.com/ruby-git/ruby-git/pull/602
- af854a3a-2127-422b-91ae-364da2661108https://jvn.jp/en/jp/JVN16765254/index.html
- af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html
Vendor Advisories for CVE-2022-46648(4)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2023:6818Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.14 security and bug fix update
- RHSA-2023:5980Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.11.5.6 async security update
- RHSA-2023:5979Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.12.5.2 Async Security Update
- RHSA-2023:5931Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.13.5 Async Security Update
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-94
- CVE-2006-1359NVD 0.0EG 9.0EPSS 99%NONE
- CVE-2005-1921NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2005-3302EG 7.3HIGH
- CVE-2005-1876EG 4.5MEDIUM
- CVE-2003-1599EG 0.0NONE
- CVE-2006-1318EG 0.0EPSS 96%NONE
- CVE-2006-1301EG 0.0EPSS 95%NONE
- CVE-2006-1308EG 0.0EPSS 95%NONE
- CVE-2006-1309EG 0.0EPSS 95%NONE
- CVE-2006-1304EG 0.0EPSS 95%NONE
Frequently asked(5)
What is CVE-2022-46648?
When was CVE-2022-46648 disclosed?
Is CVE-2022-46648 actively exploited?
What is the CVSS score of CVE-2022-46648?
How do I remediate CVE-2022-46648?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2022-46648
Is Your Infrastructure Affected by CVE-2022-46648?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.