Threat Watch

Severe Git RCE Vulnerabilities Receive Patch

Git has released a patch for two severe remote code execution vulnerabilities tracked as CVE-2022-41903 and CVE-2022-23521. Both CVEs involve heap-based buffer overflows. CVE-2022-41903 is related to the “git archive” and “git log –format” functions in Git, while CVE-2022-23521 is related to the “.gitattributes” file for defining a set of file patterns and the attributes that should be set for paths matching the patterns. Both vulnerabilities were discovered by researchers at X41 and GitLab during a security audit.

Below are the affected and patched versions of git and git-for-windows:

  • git-for-windows
    • Vulnerable
      • <= 2.39.0(2)
    • Patched
      • >= 2.39.1
  • git
    • Vulnerable
      • <= v2.30.6
      • <= v2.31.5
      • <= v2.32.4
      • <= v2.33.5
      • <= v2.34.5
      • <= v2.35.5
      • <= v2.36.3
      • <= v2.37.4
      • <= v2.38.2
      • <= v2.39.0
    • Patched
      • >= v2.30.7
      • >= v2.31.6
      • >= v2.32.5
      • >= v2.33.6
      • >= v2.34.6
      • >= v2.35.6
      • >= v2.36.4
      • >= v2.37.5
      • >= v2.38.3
      • >= v2.39.1

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

The most effective way of mitigating these vulnerabilities is by upgrading to the latest Git release. In the event that upgrading Git is not possible, CVE-2022-41903 can be mitigated by:

• Disabling ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command

https://www.bleepingcomputer.com/news/security/git-patches-two-critical-remote-code-execution-security-flaws/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support