Lucene search

K
nvd[email protected]NVD:CVE-2023-29012
HistoryApr 25, 2023 - 9:15 p.m.

CVE-2023-29012

2023-04-2521:15:10
CWE-427
web.nvd.nist.gov
6
git for windows
uncontrolled search path
vulnerability
patched
v2.40.1
workaround
directory

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

29.8%

Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed doskey.exe would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaround, avoid using Git CMD or, if using Git CMD, avoid starting it in an untrusted directory.

Affected configurations

Nvd
Node
git_for_windows_projectgit_for_windowsRange<2.40.1
VendorProductVersionCPE
git_for_windows_projectgit_for_windows*cpe:2.3:a:git_for_windows_project:git_for_windows:*:*:*:*:*:*:*:*

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

29.8%