GitHub_MCVELIST:CVE-2023-23946CVE-2023-23946 Git's `git apply` overwriting paths outside the working tree
6.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.5%
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
CNA Affected
[
{
"vendor": "git",
"product": "git",
"versions": [
{
"version": ">= 2.39.0, < 2.39.2",
"status": "affected"
},
{
"version": ">= 2.38.0, < 2.38.4",
"status": "affected"
},
{
"version": ">= 2.37.0, < 2.37.6",
"status": "affected"
},
{
"version": ">= 2.36.0, < 2.36.5",
"status": "affected"
},
{
"version": ">= 2.35.0, < 2.35.7",
"status": "affected"
},
{
"version": ">= 2.34.0, < 2.34.7",
"status": "affected"
},
{
"version": ">= 2.33.0, < 2.33.7",
"status": "affected"
},
{
"version": ">= 2.32.0, < 2.32.6",
"status": "affected"
},
{
"version": ">= 2.31.0, < 2.31.7",
"status": "affected"
},
{
"version": "< 2.30.8",
"status": "affected"
}
]
}
]Related
6.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.5%