CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30947
https://notcve.org/view.php?id=CVE-2022-30947
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. El Plugin Git de Jenkins versiones 4.11.1 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador de Jenkins usando rutas locales como URLs SCM, obteniendo información limitada sobre los contenidos SCM de otros proyectos • http://www.openwall.com/lists/oss-security/2022/05/17/8 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-25648 – Command Injection
https://notcve.org/view.php?id=CVE-2022-25648
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. El paquete git versiones anteriores a 1.11.0, es vulnerable a una inyección de comandos por medio de una inyección de argumentos git. Cuando es llamada a la función fetch(remote = "origin", opts = {}), el parámetro remoto es pasado al subcomando git fetch de forma que pueden establecerse flags adicionales. • https://github.com/ruby-git/ruby-git/pull/569 https://github.com/ruby-git/ruby-git/releases/tag/v1.11.0 https://lists.debian.org/debian-lts-announce/2023/01/msg00043.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTJUF6SFPL4ZVSJQHGQ36KFPFO5DQVYZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWNJ • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24765 – Uncontrolled search for the Git directory in Git for Windows
https://notcve.org/view.php?id=CVE-2022-24765
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. • http://seclists.org/fulldisclosure/2022/May/31 http://www.openwall.com/lists/oss-security/2022/04/12/7 https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2 https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedor • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-24975
https://notcve.org/view.php?id=CVE-2022-24975
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk. La documentación --mirror para Git versiones hasta 2.35.1, no menciona la disponibilidad del contenido eliminado, también se conoce como el problema "GitBleed". Esto podría presentar un riesgo de seguridad si los procesos de auditoría de divulgación de información dependen de una operación de clonación sin la opción --mirror • https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191 https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-46101
https://notcve.org/view.php?id=CVE-2021-46101
In Git for windows through 2.34.1 when using git pull to update the local warehouse, git.cmd can be run directly. En Git para windows versiones hasta 2.34.1, cuando es usado git pull para actualizar el almacén local, puede ejecutarse directamente git.cmd • https://github.com/0xADY/git_rce •