CVE-2022-39253

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-39253
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-10-19 11:15:00 UTC
Updated2023-12-27 10:15:00 UTC
DescriptionGit is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Risk And Classification

Problem Types: CWE-59

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apple Xcode All All All All
Operating System Debian Debian Linux 10.0 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All
Application Git-scm Git All All All All
Application Git-scm Git 2.38.0 All All All

References

ReferenceSourceLinkTags
Full Disclosure: APPLE-SA-2022-11-01-1 Xcode 14.1 FULLDISC seclists.org
[SECURITY] Fedora 35 Update: git-2.38.1-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: git-2.38.1-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Local clone optimization dereferences symbolic links by default · Advisory · git/git · GitHub CONFIRM github.com
[SECURITY] Fedora 36 Update: git-2.38.1-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] [DLA 3239-1] git security update MLIST lists.debian.org
Git: Multiple Vulnerabilities (GLSA 202312-15) — Gentoo security security.gentoo.org
[SECURITY] Fedora 37 Update: moby-engine-20.10.20-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: moby-engine-20.10.20-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
oss-security - [Announce] Git 2.39.2 and friends MLIST www.openwall.com
[SECURITY] Fedora 37 Update: git-2.38.1-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
About the security content of Xcode 14.1 - Apple Support CONFIRM support.apple.com
[SECURITY] Fedora 36 Update: git-2.38.1-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: moby-engine-20.10.20-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 37 Update: git-2.38.1-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 37 Update: moby-engine-20.10.20-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160630 Oracle Enterprise Linux Security Update for git (ELSA-2023-2319)
  • 160657 Oracle Enterprise Linux Security Update for git (ELSA-2023-2859)
  • 181320 Debian Security Update for git (DLA 3239-1)
  • 181321 Debian Security Update for git (DLA 3239-2)
  • 181518 Debian Security Update for git (DSA 5332-1)
  • 182078 Debian Security Update for git (CVE-2022-39253)
  • 198993 Ubuntu Security Notification for Git Vulnerabilities (USN-5686-1)
  • 199040 Ubuntu Security Notification for Git Vulnerabilities (USN-5686-3)
  • 199527 Ubuntu Security Notification for Git Vulnerability (USN-5686-4)
  • 241436 Red Hat Update for git (RHSA-2023:2319)
  • 241487 Red Hat Update for git (RHSA-2023:2859)
  • 242859 Red Hat Update for git (RHSA-2024:0407)
  • 283223 Fedora Security Update for moby (FEDORA-2022-12790ca71a)
  • 283258 Fedora Security Update for git (FEDORA-2022-8b58806840)
  • 283271 Fedora Security Update for git (FEDORA-2022-53aadd995f)
  • 283463 Fedora Security Update for moby (FEDORA-2022-2c33bba286)
  • 283469 Fedora Security Update for git (FEDORA-2022-fb088df94c)
  • 354134 Amazon Linux Security Advisory for git : ALAS2-2022-1886
  • 354246 Amazon Linux Security Advisory for git : ALAS-2022-1653
  • 354335 Amazon Linux Security Advisory for git : ALAS2022-2022-254
  • 354580 Amazon Linux Security Advisory for git : ALAS-2022-254
  • 355256 Amazon Linux Security Advisory for git : ALAS2023-2023-065
  • 377735 Apple Xcode Prior to 14.1 Vulnerabilities (HT213496)
  • 378017 Docker Desktop Multiple Vulnerabilities (4140)
  • 378631 Docker Engine Git Vulnerability
  • 502550 Alpine Linux Security Update for git
  • 502551 Alpine Linux Security Update for git
  • 502552 Alpine Linux Security Update for git
  • 502553 Alpine Linux Security Update for git
  • 502554 Alpine Linux Security Update for docker
  • 502570 Alpine Linux Security Update for docker-cli-compose
  • 502726 Alpine Linux Security Update for git
  • 504667 Alpine Linux Security Update for docker-cli-compose
  • 504677 Alpine Linux Security Update for docker
  • 505620 Alpine Linux Security Update for git
  • 672479 EulerOS Security Update for git (EulerOS-SA-2023-1009)
  • 672505 EulerOS Security Update for git (EulerOS-SA-2023-1034)
  • 672527 EulerOS Security Update for git (EulerOS-SA-2023-1123)
  • 672572 EulerOS Security Update for git (EulerOS-SA-2023-1099)
  • 672632 EulerOS Security Update for git (EulerOS-SA-2023-1356)
  • 672657 EulerOS Security Update for git (EulerOS-SA-2023-1384)
  • 672784 EulerOS Security Update for git (EulerOS-SA-2023-1502)
  • 690963 Free Berkeley Software Distribution (FreeBSD) Security Update for git (2523bc76-4f01-11ed-929b-002590f2a714)
  • 710816 Gentoo Linux Git Multiple Vulnerabilities (GLSA 202312-15)
  • 752782 SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:3931-1)
  • 752937 SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:4271-1)
  • 753699 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:0418-1)
  • 91960 Microsoft Visual Studio Security Updates for November 2022
  • 941032 AlmaLinux Security Update for git (ALSA-2023:2319)
  • 941077 AlmaLinux Security Update for git (ALSA-2023:2859)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report