CVE-2023-25652
Summary
| CVE | CVE-2023-25652 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-04-25 20:15:00 UTC |
|---|
| Updated | 2023-12-27 10:15:00 UTC |
|---|
| Description | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| "git apply --reject" partially-controlled arbitrary file write · Advisory · git/git · GitHub |
MISC |
github.com |
|
| oss-security - [ANNOUNCE] Git v2.40.1 and friends |
MISC |
www.openwall.com |
|
| Git 2.30.9 · git/git@668f2d5 · GitHub |
MISC |
github.com |
|
| Git: Multiple Vulnerabilities (GLSA 202312-15) — Gentoo security |
|
security.gentoo.org |
|
| lists.fedoraproject.org/archives/list/[email protected]/messag... |
|
lists.fedoraproject.org |
|
| Merge branch 'js/apply-overwrite-rej-symlink-if-exists' into maint-2.30 · git/git@18e2b1c · GitHub |
MISC |
github.com |
|
| [SECURITY] Fedora 38 Update: git-2.40.1-1.fc38 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 36 Update: git-2.40.1-1.fc36 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 37 Update: git-2.40.1-1.fc37 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160648 Oracle Enterprise Linux Security Update for git (ELSA-2023-3245)
- 160649 Oracle Enterprise Linux Security Update for git (ELSA-2023-3263)
- 160686 Oracle Enterprise Linux Security Update for git (ELSA-2023-3246)
- 199315 Ubuntu Security Notification for Git Vulnerabilities (USN-6050-1)
- 199538 Ubuntu Security Notification for Git Vulnerabilities (USN-6050-2)
- 241548 Red Hat Update for git (RHSA-2023:3248)
- 241549 Red Hat Update for git (RHSA-2023:3246)
- 241550 Red Hat Update for git (RHSA-2023:3243)
- 241551 Red Hat Update for git (RHSA-2023:3245)
- 241552 Red Hat Update for git (RHSA-2023:3247)
- 241554 Red Hat Update for git (RHSA-2023:3263)
- 241555 Red Hat Update for rh-git227-git (RHSA-2023:3280)
- 241596 Red Hat Update for git (RHSA-2023:3192)
- 257241 CentOS Security Update for git (CESA-2023:3263)
- 283954 Fedora Security Update for git (FEDORA-2023-d84a75ea52)
- 283975 Fedora Security Update for git (FEDORA-2023-003e7d2867)
- 284158 Fedora Security Update for git (FEDORA-2023-eaf1bdd5ae)
- 284757 Fedora Security Update for git (FEDORA-2023-2c851f43ba)
- 296101 Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)
- 355246 Amazon Linux Security Advisory for git : ALAS2023-2023-180
- 355394 Amazon Linux Security Advisory for git : ALAS2-2023-2072
- 378536 Alibaba Cloud Linux Security Update for git (ALINUX2-SA-2023:0024)
- 378539 Alibaba Cloud Linux Security Update for git (ALINUX3-SA-2023:0047)
- 378588 Microsoft Edge Based on Chromium Prior to 109.0.1518.115 Multiple Vulnerabilities
- 502984 Alpine Linux Security Update for git
- 502985 Alpine Linux Security Update for git
- 502986 Alpine Linux Security Update for git
- 502988 Alpine Linux Security Update for git
- 503108 Alpine Linux Security Update for git
- 505874 Alpine Linux Security Update for git
- 673170 EulerOS Security Update for git (EulerOS-SA-2023-2312)
- 673195 EulerOS Security Update for git (EulerOS-SA-2023-2332)
- 673209 EulerOS Security Update for git (EulerOS-SA-2023-2354)
- 673235 EulerOS Security Update for git (EulerOS-SA-2023-2380)
- 673529 EulerOS Security Update for git (EulerOS-SA-2023-2641)
- 673562 EulerOS Security Update for git (EulerOS-SA-2023-3127)
- 673708 EulerOS Security Update for git (EulerOS-SA-2023-2683)
- 691154 Free Berkeley Software Distribution (FreeBSD) Security Update for git (d2c6173f-e43b-11ed-a1d7-002590f2a714)
- 710816 Gentoo Linux Git Multiple Vulnerabilities (GLSA 202312-15)
- 753944 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2038-1)
- 753957 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2062-1)
- 753961 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2038-2)
- 753972 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2081-1)
- 92027 Microsoft Visual Studio Security Updates for June 2023
- 941120 AlmaLinux Security Update for git (ALSA-2023:3246)
- 941122 AlmaLinux Security Update for git (ALSA-2023:3245)
- 960936 Rocky Linux Security Update for git (RLSA-2023:3246)
