CVE-2023-25815
Summary
| CVE | CVE-2023-25815 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-04-25 20:15:00 UTC |
| Updated | 2023-12-27 10:15:00 UTC |
| Description | In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`. |
Risk And Classification
Problem Types: CWE-22 | CWE-134
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Operating System | Fedoraproject | Fedora | 38 | All | All | All |
| Application | Git For Windows Project | Git For Windows | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - [ANNOUNCE] Git v2.40.1 and friends | MISC | www.openwall.com | |
| Git: Multiple Vulnerabilities (GLSA 202312-15) — Gentoo security | security.gentoo.org | ||
| Exploit 101 - Format Strings - BreakInSecurity | MISC | axcheron.github.io | |
| [SECURITY] Fedora 38 Update: git-2.40.1-1.fc38 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: git-2.40.1-1.fc36 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| gettext: update to 0.21 by lazka · Pull Request #10461 · msys2/MINGW-packages · GitHub | MISC | github.com | |
| Git looks for localized messages in an unprivileged place · Advisory · git-for-windows/git · GitHub | MISC | github.com | |
| fprintf | MISC | pubs.opengroup.org | |
| Release Git for Windows 2.40.1 · git-for-windows/git · GitHub | MISC | github.com | |
| [SECURITY] Fedora 37 Update: git-2.40.1-1.fc37 - package-announce - Fedora Mailing-Lists | MISC | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160648 Oracle Enterprise Linux Security Update for git (ELSA-2023-3245)
- 160686 Oracle Enterprise Linux Security Update for git (ELSA-2023-3246)
- 199315 Ubuntu Security Notification for Git Vulnerabilities (USN-6050-1)
- 241548 Red Hat Update for git (RHSA-2023:3248)
- 241549 Red Hat Update for git (RHSA-2023:3246)
- 241550 Red Hat Update for git (RHSA-2023:3243)
- 241551 Red Hat Update for git (RHSA-2023:3245)
- 241552 Red Hat Update for git (RHSA-2023:3247)
- 241555 Red Hat Update for rh-git227-git (RHSA-2023:3280)
- 241596 Red Hat Update for git (RHSA-2023:3192)
- 283954 Fedora Security Update for git (FEDORA-2023-d84a75ea52)
- 283975 Fedora Security Update for git (FEDORA-2023-003e7d2867)
- 284158 Fedora Security Update for git (FEDORA-2023-eaf1bdd5ae)
- 296101 Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)
- 378458 Git for Windows Multiple Security Vulnerability
- 378539 Alibaba Cloud Linux Security Update for git (ALINUX3-SA-2023:0047)
- 378588 Microsoft Edge Based on Chromium Prior to 109.0.1518.115 Multiple Vulnerabilities
- 502984 Alpine Linux Security Update for git
- 502985 Alpine Linux Security Update for git
- 502986 Alpine Linux Security Update for git
- 502988 Alpine Linux Security Update for git
- 503108 Alpine Linux Security Update for git
- 505874 Alpine Linux Security Update for git
- 673170 EulerOS Security Update for git (EulerOS-SA-2023-2312)
- 673195 EulerOS Security Update for git (EulerOS-SA-2023-2332)
- 673209 EulerOS Security Update for git (EulerOS-SA-2023-2354)
- 673235 EulerOS Security Update for git (EulerOS-SA-2023-2380)
- 673529 EulerOS Security Update for git (EulerOS-SA-2023-2641)
- 673562 EulerOS Security Update for git (EulerOS-SA-2023-3127)
- 673708 EulerOS Security Update for git (EulerOS-SA-2023-2683)
- 710816 Gentoo Linux Git Multiple Vulnerabilities (GLSA 202312-15)
- 753944 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2038-1)
- 753957 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2062-1)
- 753961 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2038-2)
- 753972 SUSE Enterprise Linux Security Update for git (SUSE-SU-2023:2081-1)
- 92027 Microsoft Visual Studio Security Updates for June 2023
- 941120 AlmaLinux Security Update for git (ALSA-2023:3246)
- 941122 AlmaLinux Security Update for git (ALSA-2023:3245)
- 960936 Rocky Linux Security Update for git (RLSA-2023:3246)