CVE-2022-39260
Git vulnerable to Remote Code Execution via Heap overflow in `git shell`
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
Git es un sistema de control de revisiones distribuido, escalable y de código abierto. "git shell" es un shell de acceso restringido que puede ser usado para implementar la funcionalidad push/pull de Git por medio de SSH. En versiones anteriores a 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4, la función que divide los argumentos del comando en un array usa incorrectamente un "int" para representar el número de entradas en el array, permitiendo a un actor malicioso desbordar intencionadamente el valor de retorno, conllevando a escrituras arbitrarias en la pila. Dado que la matriz resultante es pasada a "execv()", es posible aprovechar este ataque para obtener la ejecución de código remota en una máquina víctima. Tenga en cuenta que una víctima debe permitir primero el acceso a "git shell" como shell de inicio de sesión para ser vulnerable a este ataque. Este problema está parcheado en versiones 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 y es recomendado a usuarios actualizar a la última versión. Deshabilitar el acceso al "git shell" por medio de inicios de sesión remotos es una mitigación viable a corto plazo
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-10-18 CVE Published
- 2024-06-09 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2022/Nov/1 | Mailing List |
|
| https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6 | Mitigation | |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html | Mailing List |
|
| https://support.apple.com/kb/HT213496 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | < 2.30.6 Search vendor "Git-scm" for product "Git" and version " < 2.30.6" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.31.0 < 2.31.5 Search vendor "Git-scm" for product "Git" and version " >= 2.31.0 < 2.31.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.32.0 < 2.32.4 Search vendor "Git-scm" for product "Git" and version " >= 2.32.0 < 2.32.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.33.0 < 2.33.5 Search vendor "Git-scm" for product "Git" and version " >= 2.33.0 < 2.33.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.34.0 < 2.34.5 Search vendor "Git-scm" for product "Git" and version " >= 2.34.0 < 2.34.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.35.0 < 2.35.5 Search vendor "Git-scm" for product "Git" and version " >= 2.35.0 < 2.35.5" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.36.0 < 2.36.3 Search vendor "Git-scm" for product "Git" and version " >= 2.36.0 < 2.36.3" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.37.0 < 2.37.4 Search vendor "Git-scm" for product "Git" and version " >= 2.37.0 < 2.37.4" | - |
Affected
| ||||||
| Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | 2.38.0 Search vendor "Git-scm" for product "Git" and version "2.38.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Xcode Search vendor "Apple" for product "Xcode" | < 14.1 Search vendor "Apple" for product "Xcode" and version " < 14.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||