Threat Watch

Severe Git RCE Vulnerabilities Receive Patch

Git has released a patch for two severe remote code execution vulnerabilities tracked as CVE-2022-41903 and CVE-2022-23521. Both CVEs involve heap-based buffer overflows. CVE-2022-41903 is related to the “git archive” and “git log –format” functions in Git, while CVE-2022-23521 is related to the “.gitattributes” file for defining a set of file patterns and the attributes that should be set for paths matching the patterns. Both vulnerabilities were discovered by researchers at X41 and GitLab during a security audit.

Below are the affected and patched versions of git and git-for-windows:

  • git-for-windows
    • Vulnerable
      • <= 2.39.0(2)
    • Patched
      • >= 2.39.1
  • git
    • Vulnerable
      • <= v2.30.6
      • <= v2.31.5
      • <= v2.32.4
      • <= v2.33.5
      • <= v2.34.5
      • <= v2.35.5
      • <= v2.36.3
      • <= v2.37.4
      • <= v2.38.2
      • <= v2.39.0
    • Patched
      • >= v2.30.7
      • >= v2.31.6
      • >= v2.32.5
      • >= v2.33.6
      • >= v2.34.6
      • >= v2.35.6
      • >= v2.36.4
      • >= v2.37.5
      • >= v2.38.3
      • >= v2.39.1

ANALYST NOTES

The most effective way of mitigating these vulnerabilities is by upgrading to the latest Git release. In the event that upgrading Git is not possible, CVE-2022-41903 can be mitigated by:

• Disabling ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command

https://www.bleepingcomputer.com/news/security/git-patches-two-critical-remote-code-execution-security-flaws/