CVE-2022-39253
Git subject to exposure of sensitive information via local clone of symbolic links
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
Git es un sistema de control de revisiones distribuido, escalable y de código abierto. Las versiones anteriores a la 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 están sujetas a una exposición de información confidencial a un actor malicioso. Cuando es llevado a cabo un clon local (en el que el origen y el destino del clon están en el mismo volumen), Git copia el contenido del directorio "$GIT_DIR/objects" del origen en el destino creando enlaces duros al contenido del origen o copiándolo (si los enlaces duros están deshabilitados por medio de "--no-hardlinks"). Un actor malicioso podría convencer a una víctima de clonar un repositorio con un enlace simbólico que apunte a información confidencial en la máquina de la víctima. Esto puede hacerse ya sea que la víctima clone un repositorio malicioso en la misma máquina, o haciendo que clone un repositorio malicioso insertado como repositorio desnudo por medio de un submódulo de cualquier fuente, siempre que clone con la opción "--recurse-submodules". Git no crea enlaces simbólicos en el directorio "$GIT_DIR/objects". El problema ha sido parcheado en las versiones publicadas el 18-10-2022, y retrocedido a v2.30.x. Posibles mitigaciones: Evite clonar repositorios no confiables usando la optimización "--local" cuando esté en una máquina compartida, ya sea pasando la opción "--no-local" a "git clone" o clonando desde una URL que use el esquema "file://". Alternativamente, evita clonar repositorios de fuentes no confiables con "--recurse-submodules" o ejecuta "git config --global protocol.file.allow user"
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-10-18 CVE Published
- 2024-06-11 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2022/Nov/1 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2023/02/14/5 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2024/05/14/2 | Mailing List |
|
| https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85 | Mitigation | |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html | Mailing List |
|
| https://support.apple.com/kb/HT213496 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | < 2.30.6 Search vendor "Git-scm" for product "Git" and version " < 2.30.6" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.31.0 < 2.31.5 Search vendor "Git-scm" for product "Git" and version " >= 2.31.0 < 2.31.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.32.0 < 2.32.4 Search vendor "Git-scm" for product "Git" and version " >= 2.32.0 < 2.32.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.33.0 < 2.33.5 Search vendor "Git-scm" for product "Git" and version " >= 2.33.0 < 2.33.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.34.0 < 2.34.5 Search vendor "Git-scm" for product "Git" and version " >= 2.34.0 < 2.34.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.35.0 < 2.35.5 Search vendor "Git-scm" for product "Git" and version " >= 2.35.0 < 2.35.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.36.0 < 2.36.3 Search vendor "Git-scm" for product "Git" and version " >= 2.36.0 < 2.36.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.37.0 < 2.37.4 Search vendor "Git-scm" for product "Git" and version " >= 2.37.0 < 2.37.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.38.0 Search vendor "Git-scm" for product "Git" and version "2.38.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Xcode Search vendor "Apple" for product "Xcode" | < 14.1 Search vendor "Apple" for product "Xcode" and version " < 14.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||