7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Today, the Git project released new versions to address a pair of security vulnerabilities, (CVE-2023-22490 and CVE-2023-23946) that affect versions 2.39.1 and older. These affect Git’s local clone optimization, as well as git apply
, respectively.
When cloning a repository, Git selects and uses a transport mechanism appropriate for the URL scheme of your clone. When cloning a local repository, however, Git instead uses a separate local clone optimization copying files directly from the source to destination.
A specially-crafted repository can trick Git into using its local clone optimization when using a non-local transport. Git will abort clones from repositories whose $GIT_DIR/objects
directory contains a symbolic link. However, the top-level $GIT_DIR/objects
directory may itself be a symbolic link.
These two may be combined to include arbitrary files based on known paths from a victim’s filesystem into the clone’s working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.
[source]
Git allows for applying arbitrary patches to your repository’s history with git apply
. In order to prevent malicious patches from creating files outside of the working copy, git apply
rejects patches which attempt to write a file beyond a symbolic link.
However, this mechanism can be tricked when the malicious patch creates that symbolic link in the first place. This can be leveraged to write arbitrary files on a victim’s filesystem when applying malicious patches from untrusted sources.
[source]
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.2. If you can't update immediately, reduce your risk by taking the following steps:
git clone
with --recurse-submodules
against untrusted repositories.git apply
/ git am
on input from untrusted sources.If submodules are required by your workflow, you can clone each layer of submodules iteratively after inspecting each .gitmodules
file to ensure that it does not contain suspicious module URLs.
If you are unsure about whether or not it is safe to apply a patch, you can inspect its contents with git apply --stat
. Avoid applying patches that create a symbolic link and a file beyond that link.
In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:
Credit for CVE-2023-22490 goes to yvvdwf, and credit for CVE-2023-23946 goes to Joern Schneeweisz of GitLab. Fixes were contributed by Taylor Blau of GitHub and Patrick Steinhardt of GitLab, respectively, with additional feedback and review from members of the git-security list.