CVE-2023-22743
Git for Windows' installer is susceptible to DLL side loading attacks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, by carefully crafting DLL and putting into a subdirectory of a specific name living next to the Git for Windows installer, Windows can be tricked into side-loading said DLL. This potentially allows users with local write access to place malicious payloads in a location where automated upgrades might run the Git for Windows installer with elevation. Version 2.39.2 contains a patch for this issue. Some workarounds are available. Never leave untrusted files in the Downloads folder or its sub-folders before executing the Git for Windows installer, or move the installer into a different directory before executing it.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-01-06 CVE Reserved
- 2023-02-14 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-426: Untrusted Search Path
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://attack.mitre.org/techniques/T1574/002 | Technical Description | |
https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1 | Release Notes |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Git For Windows Project Search vendor "Git For Windows Project" | Git For Windows Search vendor "Git For Windows Project" for product "Git For Windows" | < 2.39.2 Search vendor "Git For Windows Project" for product "Git For Windows" and version " < 2.39.2" | - |
Affected
|