Lucene search

K
freebsdFreeBSDD2C6173F-E43B-11ED-A1D7-002590F2A714
HistoryApr 25, 2023 - 12:00 a.m.

git -- Multiple vulnerabilities

2023-04-2500:00:00
vuxml.freebsd.org
19
git
vulnerabilities
patch update
cve-2023-25652
git apply
cve-2023-29007
.gitmodules
configuration
code execution
unix

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.3%

git developers reports:

This update includes 2 security fixes:

CVE-2023-25652: By feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch)
CVE-2023-29007: A specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug that can be used to inject arbitrary configuration into user’s git config. This can result in arbitrary execution of code, by inserting values for core.pager, core.editor and so on

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgit< 2.40.1UNKNOWN
FreeBSDanynoarchgit-lite< 2.40.1UNKNOWN
FreeBSDanynoarchgit-tiny< 2.40.1UNKNOWN

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.005

Percentile

77.3%