CVE-2022-39253
19.10.2022, 11:15
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| git-scm | git | 𝑥 < 2.30.6 |
| git-scm | git | 2.31.0 ≤ 𝑥 < 2.31.5 |
| git-scm | git | 2.32.0 ≤ 𝑥 < 2.32.4 |
| git-scm | git | 2.33.0 ≤ 𝑥 < 2.33.5 |
| git-scm | git | 2.34.0 ≤ 𝑥 < 2.34.5 |
| git-scm | git | 2.35.0 ≤ 𝑥 < 2.35.5 |
| git-scm | git | 2.36.0 ≤ 𝑥 < 2.36.3 |
| git-scm | git | 2.37.0 ≤ 𝑥 < 2.37.4 |
| git-scm | git | 2.38.0 |
| apple | xcode | 𝑥 < 14.1 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| git | git | 𝑥 < 2.30.6 | CNA |
| git | git | 𝑥 < 2.31.5 | CNA |
| git | git | 𝑥 < 2.32.4 | CNA |
| git | git | 𝑥 < 2.33.5 | CNA |
| git | git | 𝑥 < 2.34.5 | CNA |
| git | git | 𝑥 < 2.35.5 | CNA |
| git | git | 𝑥 < 2.36.3 | CNA |
| git | git | 𝑥 < 2.37.4 | CNA |
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| git |
| ||||||||||||||||||||||||||||||||||||||||
| git-arch |
| ||||||||||||||||||||||||||||||||||||||||
| git-core |
| ||||||||||||||||||||||||||||||||||||||||
| git-cvs |
| ||||||||||||||||||||||||||||||||||||||||
| git-daemon |
| ||||||||||||||||||||||||||||||||||||||||
| git-doc |
| ||||||||||||||||||||||||||||||||||||||||
| git-email |
| ||||||||||||||||||||||||||||||||||||||||
| git-gui |
| ||||||||||||||||||||||||||||||||||||||||
| git-svn |
| ||||||||||||||||||||||||||||||||||||||||
| git-web |
| ||||||||||||||||||||||||||||||||||||||||
| gitk |
| ||||||||||||||||||||||||||||||||||||||||
| perl-Git |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| git |
| ||||||||||||
| git-all |
| ||||||||||||
| git-core |
| ||||||||||||
| git-core-doc |
| ||||||||||||
| git-credential-libsecret |
| ||||||||||||
| git-daemon |
| ||||||||||||
| git-email |
| ||||||||||||
| git-gui |
| ||||||||||||
| git-instaweb |
| ||||||||||||
| git-subtree |
| ||||||||||||
| git-svn |
| ||||||||||||
| gitk |
| ||||||||||||
| gitweb |
| ||||||||||||
| perl-Git |
| ||||||||||||
| perl-Git-SVN |
|
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
References