CVE-2022-41953

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2022-41953
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-01-17 22:15:00 UTC
Updated2023-01-25 14:13:00 UTC
DescriptionGit GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.

Risk And Classification

Problem Types: CWE-426

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Git-scm Git All All All All
Operating System Microsoft Windows - All All All

References

ReferenceSourceLinkTags
Merge v2.39.1.windows.1 (#4219) · git-for-windows/git@7360767 · GitHub MISC github.com
exec manual page - Tcl Built-In Commands MISC www.tcl.tk
Git GUI Clone Remote Code Execution Vulnerability · Advisory · git-for-windows/git · GitHub MISC github.com
Merge v2.39.1.windows.1 by derrickstolee · Pull Request #4219 · git-for-windows/git · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 377914 Git Remote Code Execution (RCE) Vulnerability
  • 672708 EulerOS Security Update for git (EulerOS-SA-2023-1466)
  • 672737 EulerOS Security Update for git (EulerOS-SA-2023-1441)
  • 672793 EulerOS Security Update for git (EulerOS-SA-2023-1548)
  • 672811 EulerOS Security Update for git (EulerOS-SA-2023-1523)
  • 672898 EulerOS Security Update for git (EulerOS-SA-2023-1757)
  • 672902 EulerOS Security Update for git (EulerOS-SA-2023-1779)
  • 905270 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13014)
  • 905279 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13025)
  • 905487 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13014-1)
  • 907383 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13025-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report