// For flags

CVE-2022-39253

Git subject to exposure of sensitive information via local clone of symbolic links

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Git es un sistema de control de revisiones distribuido, escalable y de código abierto. Las versiones anteriores a la 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 están sujetas a una exposición de información confidencial a un actor malicioso. Cuando es llevado a cabo un clon local (en el que el origen y el destino del clon están en el mismo volumen), Git copia el contenido del directorio "$GIT_DIR/objects" del origen en el destino creando enlaces duros al contenido del origen o copiándolo (si los enlaces duros están deshabilitados por medio de "--no-hardlinks"). Un actor malicioso podría convencer a una víctima de clonar un repositorio con un enlace simbólico que apunte a información confidencial en la máquina de la víctima. Esto puede hacerse ya sea que la víctima clone un repositorio malicioso en la misma máquina, o haciendo que clone un repositorio malicioso insertado como repositorio desnudo por medio de un submódulo de cualquier fuente, siempre que clone con la opción "--recurse-submodules". Git no crea enlaces simbólicos en el directorio "$GIT_DIR/objects". El problema ha sido parcheado en las versiones publicadas el 18-10-2022, y retrocedido a v2.30.x. Posibles mitigaciones: Evite clonar repositorios no confiables usando la optimización "--local" cuando esté en una máquina compartida, ya sea pasando la opción "--no-local" a "git clone" o clonando desde una URL que use el esquema "file://". Alternativamente, evita clonar repositorios de fuentes no confiables con "--recurse-submodules" o ejecuta "git config --global protocol.file.allow user"

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-09-02 CVE Reserved
  • 2022-10-18 CVE Published
  • 2024-06-11 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
< 2.30.6
Search vendor "Git-scm" for product "Git" and version " < 2.30.6"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.31.0 < 2.31.5
Search vendor "Git-scm" for product "Git" and version " >= 2.31.0 < 2.31.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.32.0 < 2.32.4
Search vendor "Git-scm" for product "Git" and version " >= 2.32.0 < 2.32.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.33.0 < 2.33.5
Search vendor "Git-scm" for product "Git" and version " >= 2.33.0 < 2.33.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.34.0 < 2.34.5
Search vendor "Git-scm" for product "Git" and version " >= 2.34.0 < 2.34.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.35.0 < 2.35.5
Search vendor "Git-scm" for product "Git" and version " >= 2.35.0 < 2.35.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.36.0 < 2.36.3
Search vendor "Git-scm" for product "Git" and version " >= 2.36.0 < 2.36.3"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.37.0 < 2.37.4
Search vendor "Git-scm" for product "Git" and version " >= 2.37.0 < 2.37.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
2.38.0
Search vendor "Git-scm" for product "Git" and version "2.38.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Apple
Search vendor "Apple"
Xcode
Search vendor "Apple" for product "Xcode"
< 14.1
Search vendor "Apple" for product "Xcode" and version " < 14.1"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected