// For flags

CVE-2022-24765

Uncontrolled search for the Git directory in Git for Windows

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.

Git para Windows es un fork de Git que contiene parches específicos para Windows. Esta vulnerabilidad afecta a usuarios que trabajan en máquinas multiusuario, donde partes no confiables presentan acceso de escritura al mismo disco duro. Estas partes no confiables podrían crear la carpeta "C:\.git", que sería recogida por las operaciones de Git ejecutadas supuestamente fuera de un repositorio mientras es buscado un directorio Git. Git respetaría entonces cualquier configuración en dicho directorio Git. Los usuarios de Git Bash que configuren "GIT_PS1_SHOWDIRTYSTATE" también son vulnerables. Los usuarios que hayan instalado posh-git son vulnerables simplemente al iniciar un PowerShell. Los usuarios de IDEs como Visual Studio son vulnerables: la simple creación de un nuevo proyecto ya leería y respetaría la configuración especificada en "C:\.git\config". Los usuarios del fork de Microsoft de Git son vulnerables simplemente al iniciar un Git Bash. El problema ha sido parcheado en Git para Windows versión v2.35.2. Los usuarios que no puedan actualizarse pueden crear la carpeta ".git" en todas las unidades en las que sean ejecutados comandos de Git, y eliminar el acceso de lectura/escritura de esas carpetas como medida de mitigación. Como alternativa, defina o amplíe "GIT_CEILING_DIRECTORIES" para que cubra el directorio _parent_ del perfil de usuario, por ejemplo, "C:\Users" si el perfil de usuario es encontrado en "C:\Users\my-user-name"

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-04-12 CVE Published
  • 2023-07-18 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-427: Uncontrolled Search Path Element
CAPEC
References (19)
URL Date SRC
URL Date SRC
URL Date SRC
https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash 2023-12-27
https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4 2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW 2023-12-27
https://security.gentoo.org/glsa/202312-15 2023-12-27
https://access.redhat.com/security/cve/CVE-2022-24765 2024-01-25
https://bugzilla.redhat.com/show_bug.cgi?id=2073414 2024-01-25
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
< 2.35.2
Search vendor "Git-scm" for product "Git" and version " < 2.35.2"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Apple
Search vendor "Apple"
Xcode
Search vendor "Apple" for product "Xcode"
< 13.4
Search vendor "Apple" for product "Xcode" and version " < 13.4"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected