Lucene search

K
nvd[email protected]NVD:CVE-2023-25652
HistoryApr 25, 2023 - 8:15 p.m.

CVE-2023-25652

2023-04-2520:15:09
CWE-22
web.nvd.nist.gov
10
git
overwrite
patch
security
vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.003

Percentile

65.5%

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Affected configurations

Nvd
Node
git-scmgitRange<2.30.9
OR
git-scmgitRange2.31.02.31.8
OR
git-scmgitRange2.32.02.32.7
OR
git-scmgitRange2.33.02.33.8
OR
git-scmgitRange2.34.02.34.8
OR
git-scmgitRange2.35.02.35.8
OR
git-scmgitRange2.36.02.36.6
OR
git-scmgitRange2.37.02.37.7
OR
git-scmgitRange2.38.02.38.5
OR
git-scmgitRange2.39.02.39.3
OR
git-scmgitMatch2.40.0
Node
fedoraprojectfedoraMatch37
OR
fedoraprojectfedoraMatch38

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.5

Confidence

High

EPSS

0.003

Percentile

65.5%