CVE-2022-24765
Uncontrolled search for the Git directory in Git for Windows
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
Git para Windows es un fork de Git que contiene parches específicos para Windows. Esta vulnerabilidad afecta a usuarios que trabajan en máquinas multiusuario, donde partes no confiables presentan acceso de escritura al mismo disco duro. Estas partes no confiables podrían crear la carpeta "C:\.git", que sería recogida por las operaciones de Git ejecutadas supuestamente fuera de un repositorio mientras es buscado un directorio Git. Git respetaría entonces cualquier configuración en dicho directorio Git. Los usuarios de Git Bash que configuren "GIT_PS1_SHOWDIRTYSTATE" también son vulnerables. Los usuarios que hayan instalado posh-git son vulnerables simplemente al iniciar un PowerShell. Los usuarios de IDEs como Visual Studio son vulnerables: la simple creación de un nuevo proyecto ya leería y respetaría la configuración especificada en "C:\.git\config". Los usuarios del fork de Microsoft de Git son vulnerables simplemente al iniciar un Git Bash. El problema ha sido parcheado en Git para Windows versión v2.35.2. Los usuarios que no puedan actualizarse pueden crear la carpeta ".git" en todas las unidades en las que sean ejecutados comandos de Git, y eliminar el acceso de lectura/escritura de esas carpetas como medida de mitigación. Como alternativa, defina o amplíe "GIT_CEILING_DIRECTORIES" para que cubra el directorio _parent_ del perfil de usuario, por ejemplo, "C:\Users" si el perfil de usuario es encontrado en "C:\Users\my-user-name"
A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-12 CVE Published
- 2023-07-18 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-427: Uncontrolled Search Path Element
CAPEC
References (19)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2022/May/31 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2022/04/12/7 | Mailing List |
|
| https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2 | Mitigation | |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html | Mailing List |
|
| https://support.apple.com/kb/HT213261 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | < 2.35.2 Search vendor "Git-scm" for product "Git" and version " < 2.35.2" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Xcode Search vendor "Apple" for product "Xcode" | < 13.4 Search vendor "Apple" for product "Xcode" and version " < 13.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||