Vulnerability Details

Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called aspell.exe if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. Therefore, malicious repositories can ship with an aspell.exe in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.

Publish Date: 2023-01-17

URL: CVE-2022-41953

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-v4px-mx59-w99c

Release Date: 2023-01-17

Fix Resolution: v2.35.6.windows.1;v2.39.1.windows.1

Vulnerability Details

Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.

Publish Date: 2023-01-17

URL: CVE-2022-41903

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c738-c5qq-xg89

Release Date: 2023-01-17

Fix Resolution: v2.30.7,v2.31.6,v2.32.5,v2.33.6,v2.34.6,v2.35.6,v2.36.4,v2.37.5,v2.38.3,v2.39.1

Vulnerable Library - gitv2.31.0

Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.

Library home page: https://github.com/git/git.git

Found in base branch: master

Vulnerable Source Files (1)

/gettext.h

Vulnerability Details

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the gettext() function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path C:\mingw64\share\locale to look for localized messages. And since any authenticated user has the permission to create folders in C:\ (and since C:\mingw64 does not typically exist), it is possible for low-privilege users to place fake messages in that location where git.exe will pick them up in version 2.40.1.

This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a C:\mingw64 folder and leave it empty. Users who have administrative rights may remove the permission to create folders in C:\.

Publish Date: 2023-04-25

URL: CVE-2023-25815

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w66-8mq8-5vm8

Release Date: 2023-04-25

Fix Resolution: v2.40.1.windows.1

Vulnerable Library - gitv2.30.2

The core git plumbing

Library home page: https://git.kernel.org/pub/scm/git/git.git

Found in HEAD commit: ba2736d761e0b2eedf96d852609858eb858f42dd

Found in base branch: master

Vulnerable Source Files (1)

/git-archimport.perl

Vulnerability Details

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Publish Date: 2017-09-29

URL: CVE-2017-14867

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867

Release Date: 2017-09-29

Fix Resolution: v2.14.2,v2.13.7,v2.13.6,v2.12.5,v2.11.4,v2.10.5

Vulnerability Details

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2023-01-17

URL: CVE-2022-23521

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c738-c5qq-xg89

Release Date: 2023-01-17

Fix Resolution: v2.30.7,v2.31.6,v2.32.5,v2.33.6,v2.34.6,v2.35.6,v2.36.4,v2.37.5,v2.38.3,v2.39.1

Vulnerable Library - gitv2.30.2

The core git plumbing

Library home page: https://git.kernel.org/pub/scm/git/git.git

Found in base branch: master

Vulnerable Source Files (1)

/shell.c

Vulnerability Details

Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround.

Publish Date: 2022-10-19

URL: CVE-2022-39260

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-rjr6-wcq6-83p6

Release Date: 2022-10-19

Fix Resolution: v2.30.6,v2.31.5,v2.32.4,v2.33.5,v2.34.5,v2.35.5,v2.36.3,v2.37.4,v2.38.1