CVE-2023-22490

Published on: Not Yet Published

Last Modified on: 02/23/2023 10:24:00 PM UTC

CVE-2023-22490 - advisory for GHSA-gw92-x3fm-3g3q

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Certain versions of Git from Git-scm contain the following vulnerability:

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.

CVE-2023-22490 has been assigned by security-adviso[email protected] to track the vulnerability - currently rated as MEDIUM severity.

CVSS3 Score: 5.5 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	NONE	REQUIRED
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
Sync with Git 2.39.2 · git/git@c867e4f · GitHub	github.com text/html	MISC github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
Local clone optimization dereferences symbolic links by default · Advisory · git/git · GitHub	github.com text/html	MISC github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
Local clone-based data exfiltration with non-local transports · Advisory · git/git · GitHub	github.com text/html	MISC github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

160648 Oracle Enterprise Linux Security Update for git (ELSA-2023-3245)
160686 Oracle Enterprise Linux Security Update for git (ELSA-2023-3246)
181607 Debian Security Update for git (DLA 3338-1)
181677 Debian Security Update for git (DSA 5357-1)
182474 Debian Security Update for git (CVE-2023-22490)
199174 Ubuntu Security Notification for Git Vulnerabilities (USN-5871-1)
241549 Red Hat Update for git (RHSA-2023:3246)
241551 Red Hat Update for git (RHSA-2023:3245)
283708 Fedora Security Update for git (FEDORA-2023-5b372318ff)
283733 Fedora Security Update for git (FEDORA-2023-2b3acb6cfd)
354787 Amazon Linux Security Advisory for git : ALAS2-2023-1984
354808 Amazon Linux Security Advisory for git : ALAS-2023-1700
355065 Amazon Linux Security Advisory for git : AL2012-2023-389
355274 Amazon Linux Security Advisory for git : ALAS2023-2023-113
378539 Alibaba Cloud Linux Security Update for git (ALINUX3-SA-2023:0047)
378542 GitLab Multiple Security Vulnerability (14-Feb-23)
502661 Alpine Linux Security Update for git
502662 Alpine Linux Security Update for git
502665 Alpine Linux Security Update for git
502728 Alpine Linux Security Update for git
503107 Alpine Linux Security Update for git
673004 EulerOS Security Update for git (EulerOS-SA-2023-1841)
673007 EulerOS Security Update for git (EulerOS-SA-2023-1866)
673014 EulerOS Security Update for git (EulerOS-SA-2023-1951)
673023 EulerOS Security Update for git (EulerOS-SA-2023-1973)
673069 EulerOS Security Update for git (EulerOS-SA-2023-2145)
673139 EulerOS Security Update for git (EulerOS-SA-2023-2289)
673140 EulerOS Security Update for git (EulerOS-SA-2023-2265)
691069 Free Berkeley Software Distribution (FreeBSD) Security Update for git (9548d6ed-b1da-11ed-b0f4-002590f2a714)
753695 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:0426-1)
753699 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:0418-1)
753706 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:0430-1)
905572 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13607)
906542 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13607-1)
906596 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13607-3)
906796 Common Base Linux Mariner (CBL-Mariner) Security Update for git (13607-5)
91992 Microsoft Visual Studio Security Updates for March 2023
941120 AlmaLinux Security Update for git (ALSA-2023:3246)
941122 AlmaLinux Security Update for git (ALSA-2023:3245)
960936 Rocky Linux Security Update for git (RLSA-2023:3246)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Git-scm	Git	All	All	All	All

cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)