{"api_version":"1","generated_at":"2026-04-23T04:33:36+00:00","cve":"CVE-2022-24765","urls":{"html":"https://cve.report/CVE-2022-24765","api":"https://cve.report/api/cve/CVE-2022-24765.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24765","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24765"},"summary":{"title":"CVE-2022-24765","description":"Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-04-12 18:15:00","updated_at":"2023-12-27 10:15:00"},"problem_types":["CWE-427"],"metrics":[],"references":[{"url":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode","name":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode","refsource":"MISC","tags":[],"title":"Git - git Documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/","name":"FEDORA-2023-470c7ea49e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: libgit2-1.3.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/","name":"FEDORA-2022-dfd7e7fc0e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: git-2.37.1-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/","name":"FEDORA-2023-e3c8abd37e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: rust-cargo-c-0.9.12-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/","name":"FEDORA-2022-3759ebabd2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: git-2.35.3-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/","name":"FEDORA-2022-2fec5f30be","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: git-2.34.3-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/","name":"FEDORA-2023-1068309389","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: libgit2-1.3.2-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/","name":"FEDORA-2023-470c7ea49e","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: libgit2-1.3.2-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/","name":"FEDORA-2023-3ec32f6d4e","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: rust-bat-0.21.0-6.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash","name":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash","refsource":"MISC","tags":[],"title":"Git - Git in Bash","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html","name":"[debian-lts-announce] 20221213 [SECURITY] [DLA 3239-1] git security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3239-1] git security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2022/04/12/7","name":"[oss-security] 20220412 git v2.35.2 and friends for CVE-2022-24765","refsource":"MLIST","tags":[],"title":"oss-security - git v2.35.2 and friends for CVE-2022-24765","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202312-15","name":"GLSA-202312-15","refsource":"","tags":[],"title":"Git: Multiple Vulnerabilities (GLSA 202312-15) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/","name":"FEDORA-2022-dfd7e7fc0e","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: git-2.37.1-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/","name":"FEDORA-2023-3ec32f6d4e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: rust-bat-0.21.0-6.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/","name":"FEDORA-2022-e99ae504f5","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: git-2.36.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/","name":"FEDORA-2022-2a5de7cb8b","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: git-2.37.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2022/May/31","name":"20220516 APPLE-SA-2022-05-16-8 Xcode 13.4","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: APPLE-SA-2022-05-16-8 Xcode 13.4","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT213261","name":"https://support.apple.com/kb/HT213261","refsource":"CONFIRM","tags":[],"title":"About the security content of Xcode 13.4 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/","name":"FEDORA-2022-2a5de7cb8b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: git-2.37.1-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/","name":"FEDORA-2023-1068309389","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: libgit2-1.3.2-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/","name":"FEDORA-2023-e3c8abd37e","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: rust-cargo-c-0.9.12-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/","name":"FEDORA-2022-e99ae504f5","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: git-2.36.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/","name":"FEDORA-2022-2fec5f30be","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: git-2.34.3-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2","name":"https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2","refsource":"CONFIRM","tags":[],"title":"Uncontrolled search for the Git directory in Git for Windows · Advisory · git-for-windows/git · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/","name":"FEDORA-2022-3759ebabd2","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: git-2.35.3-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24765","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24765","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"xcode","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"git-scm","cpe5":"git","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24765","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24765","qid":"160630","title":"Oracle Enterprise Linux Security Update for git (ELSA-2023-2319)"},{"cve":"CVE-2022-24765","qid":"160657","title":"Oracle Enterprise Linux Security Update for git (ELSA-2023-2859)"},{"cve":"CVE-2022-24765","qid":"181320","title":"Debian Security Update for git (DLA 3239-1)"},{"cve":"CVE-2022-24765","qid":"181321","title":"Debian Security Update for git (DLA 3239-2)"},{"cve":"CVE-2022-24765","qid":"181518","title":"Debian Security Update for git (DSA 5332-1)"},{"cve":"CVE-2022-24765","qid":"183677","title":"Debian Security Update for git (CVE-2022-24765)"},{"cve":"CVE-2022-24765","qid":"198738","title":"Ubuntu Security Notification for Git Vulnerability (USN-5376-1)"},{"cve":"CVE-2022-24765","qid":"198769","title":"Ubuntu Security Notification for Git Vulnerability (USN-5376-2)"},{"cve":"CVE-2022-24765","qid":"241436","title":"Red Hat Update for git (RHSA-2023:2319)"},{"cve":"CVE-2022-24765","qid":"241487","title":"Red Hat Update for git (RHSA-2023:2859)"},{"cve":"CVE-2022-24765","qid":"242859","title":"Red Hat Update for git (RHSA-2024:0407)"},{"cve":"CVE-2022-24765","qid":"282662","title":"Fedora Security Update for git (FEDORA-2022-2fec5f30be)"},{"cve":"CVE-2022-24765","qid":"282663","title":"Fedora Security Update for git (FEDORA-2022-3759ebabd2)"},{"cve":"CVE-2022-24765","qid":"282953","title":"Fedora Security Update for git (FEDORA-2022-dfd7e7fc0e)"},{"cve":"CVE-2022-24765","qid":"282985","title":"Fedora Security Update for git (FEDORA-2022-2a5de7cb8b)"},{"cve":"CVE-2022-24765","qid":"283637","title":"Fedora Security Update for libgit2 (FEDORA-2023-470c7ea49e)"},{"cve":"CVE-2022-24765","qid":"283645","title":"Fedora Security Update for rust (FEDORA-2023-e3c8abd37e)"},{"cve":"CVE-2022-24765","qid":"283646","title":"Fedora Security Update for libgit2 (FEDORA-2023-1068309389)"},{"cve":"CVE-2022-24765","qid":"283652","title":"Fedora Security Update for rust (FEDORA-2023-3ec32f6d4e)"},{"cve":"CVE-2022-24765","qid":"296082","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)"},{"cve":"CVE-2022-24765","qid":"296086","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)"},{"cve":"CVE-2022-24765","qid":"353952","title":"Amazon Linux Security Advisory for git : ALAS-2022-1589"},{"cve":"CVE-2022-24765","qid":"353980","title":"Amazon Linux Security Advisory for git : ALAS2-2022-1810"},{"cve":"CVE-2022-24765","qid":"354348","title":"Amazon Linux Security Advisory for git : ALAS2022-2022-067"},{"cve":"CVE-2022-24765","qid":"354445","title":"Amazon Linux Security Advisory for git : ALAS2022-2022-236"},{"cve":"CVE-2022-24765","qid":"354589","title":"Amazon Linux Security Advisory for git : ALAS-2022-236"},{"cve":"CVE-2022-24765","qid":"355256","title":"Amazon Linux Security Advisory for git : ALAS2023-2023-065"},{"cve":"CVE-2022-24765","qid":"376606","title":"Apple Xcode Prior to 13.4 Vulnerability (HT213261)"},{"cve":"CVE-2022-24765","qid":"501412","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2022-24765","qid":"501742","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2022-24765","qid":"501961","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2022-24765","qid":"502219","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2022-24765","qid":"502876","title":"Alpine Linux Security Update for libgit2"},{"cve":"CVE-2022-24765","qid":"503967","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2022-24765","qid":"671833","title":"EulerOS Security Update for git (EulerOS-SA-2022-1888)"},{"cve":"CVE-2022-24765","qid":"671902","title":"EulerOS Security Update for git (EulerOS-SA-2022-1929)"},{"cve":"CVE-2022-24765","qid":"671916","title":"EulerOS Security Update for git (EulerOS-SA-2022-1995)"},{"cve":"CVE-2022-24765","qid":"671942","title":"EulerOS Security Update for git (EulerOS-SA-2022-1965)"},{"cve":"CVE-2022-24765","qid":"671969","title":"EulerOS Security Update for git (EulerOS-SA-2022-2156)"},{"cve":"CVE-2022-24765","qid":"672001","title":"EulerOS Security Update for git (EulerOS-SA-2022-2131)"},{"cve":"CVE-2022-24765","qid":"710816","title":"Gentoo Linux Git Multiple Vulnerabilities (GLSA 202312-15)"},{"cve":"CVE-2022-24765","qid":"752045","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:1260-1)"},{"cve":"CVE-2022-24765","qid":"752066","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:1306-1)"},{"cve":"CVE-2022-24765","qid":"752096","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:1484-1)"},{"cve":"CVE-2022-24765","qid":"752375","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:2535-1)"},{"cve":"CVE-2022-24765","qid":"752381","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:2537-1)"},{"cve":"CVE-2022-24765","qid":"752392","title":"SUSE Enterprise Linux Security Update for git (SUSE-SU-2022:2550-1)"},{"cve":"CVE-2022-24765","qid":"752650","title":"SUSE Enterprise Linux Security Update for libgit2 (SUSE-SU-2022:3494-1)"},{"cve":"CVE-2022-24765","qid":"752654","title":"SUSE Enterprise Linux Security Update for libgit2 (SUSE-SU-2022:3495-1)"},{"cve":"CVE-2022-24765","qid":"753386","title":"SUSE Enterprise Linux Security Update for libgit2 (SUSE-SU-2022:3283-1)"},{"cve":"CVE-2022-24765","qid":"91881","title":"Microsoft Visual Studio Security Update for April 2022"},{"cve":"CVE-2022-24765","qid":"941032","title":"AlmaLinux Security Update for git (ALSA-2023:2319)"},{"cve":"CVE-2022-24765","qid":"941077","title":"AlmaLinux Security Update for git (ALSA-2023:2859)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24765","STATE":"PUBLIC","TITLE":"Uncontrolled search for the Git directory in Git for Windows"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"git","version":{"version_data":[{"version_value":"< 2.35.2"}]}}]},"vendor_name":"git-for-windows"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-427: Uncontrolled Search Path Element"}]}]},"references":{"reference_data":[{"name":"https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2","refsource":"CONFIRM","url":"https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2"},{"name":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash","refsource":"MISC","url":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash"},{"name":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode","refsource":"MISC","url":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode"},{"refsource":"MLIST","name":"[oss-security] 20220412 git v2.35.2 and friends for CVE-2022-24765","url":"http://www.openwall.com/lists/oss-security/2022/04/12/7"},{"refsource":"FEDORA","name":"FEDORA-2022-e99ae504f5","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/"},{"refsource":"FEDORA","name":"FEDORA-2022-3759ebabd2","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/"},{"refsource":"FEDORA","name":"FEDORA-2022-2fec5f30be","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213261","url":"https://support.apple.com/kb/HT213261"},{"refsource":"FULLDISC","name":"20220516 APPLE-SA-2022-05-16-8 Xcode 13.4","url":"http://seclists.org/fulldisclosure/2022/May/31"},{"refsource":"FEDORA","name":"FEDORA-2022-dfd7e7fc0e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/"},{"refsource":"FEDORA","name":"FEDORA-2022-2a5de7cb8b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221213 [SECURITY] [DLA 3239-1] git security update","url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"},{"refsource":"FEDORA","name":"FEDORA-2023-470c7ea49e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/"},{"refsource":"FEDORA","name":"FEDORA-2023-e3c8abd37e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/"},{"refsource":"FEDORA","name":"FEDORA-2023-1068309389","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/"},{"refsource":"FEDORA","name":"FEDORA-2023-3ec32f6d4e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/"}]},"source":{"advisory":"GHSA-vw2c-22j4-2fh2","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-04-12 18:15:00","lastModifiedDate":"2023-12-27 10:15:00","problem_types":["CWE-427"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:C/I:C/A:C","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":6.9},"severity":"MEDIUM","exploitabilityScore":3.4,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionEndExcluding":"2.35.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*","versionEndExcluding":"13.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24765","Ordinal":"228217","Title":"CVE-2022-24765","CVE":"CVE-2022-24765","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24765","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}