CVE-2022-39260

Git vulnerable to Remote Code Execution via Heap overflow in `git shell`

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

Git es un sistema de control de revisiones distribuido, escalable y de código abierto. "git shell" es un shell de acceso restringido que puede ser usado para implementar la funcionalidad push/pull de Git por medio de SSH. En versiones anteriores a 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4, la función que divide los argumentos del comando en un array usa incorrectamente un "int" para representar el número de entradas en el array, permitiendo a un actor malicioso desbordar intencionadamente el valor de retorno, conllevando a escrituras arbitrarias en la pila. Dado que la matriz resultante es pasada a "execv()", es posible aprovechar este ataque para obtener la ejecución de código remota en una máquina víctima. Tenga en cuenta que una víctima debe permitir primero el acceso a "git shell" como shell de inicio de sesión para ser vulnerable a este ataque. Este problema está parcheado en versiones 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 y es recomendado a usuarios actualizar a la última versión. Deshabilitar el acceso al "git shell" por medio de inicios de sesión remotos es una mitigación viable a corto plazo

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include a bypass vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-18 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-122: Heap-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (10)

URL	Tag	Source
http://seclists.org/fulldisclosure/2022/Nov/1	Mailing List
https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6	Mitigation
https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html	Mailing List
https://support.apple.com/kb/HT213496	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD	2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH	2023-12-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV	2023-12-27
https://security.gentoo.org/glsa/202312-15	2023-12-27
https://access.redhat.com/security/cve/CVE-2022-39260	2024-01-25
https://bugzilla.redhat.com/show_bug.cgi?id=2137423	2024-01-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				< 2.30.6 Search vendor "Git-scm" for product "Git" and version " < 2.30.6"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.31.0 < 2.31.5 Search vendor "Git-scm" for product "Git" and version " >= 2.31.0 < 2.31.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.32.0 < 2.32.4 Search vendor "Git-scm" for product "Git" and version " >= 2.32.0 < 2.32.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.33.0 < 2.33.5 Search vendor "Git-scm" for product "Git" and version " >= 2.33.0 < 2.33.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.34.0 < 2.34.5 Search vendor "Git-scm" for product "Git" and version " >= 2.34.0 < 2.34.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.35.0 < 2.35.5 Search vendor "Git-scm" for product "Git" and version " >= 2.35.0 < 2.35.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.36.0 < 2.36.3 Search vendor "Git-scm" for product "Git" and version " >= 2.36.0 < 2.36.3"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.37.0 < 2.37.4 Search vendor "Git-scm" for product "Git" and version " >= 2.37.0 < 2.37.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				2.38.0 Search vendor "Git-scm" for product "Git" and version "2.38.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Apple Search vendor "Apple"		Xcode Search vendor "Apple" for product "Xcode"				< 14.1 Search vendor "Apple" for product "Xcode" and version " < 14.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected