CVE-2023-23946

2023-02-1400:00:00

ubuntu.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

42.7%

JSON

Git, a revision control system, is vulnerable to path traversal prior to
versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6,
2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path
outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4,
v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8.
As a workaround, use git apply --stat to inspect a patch before applying;
avoid applying one that creates a symbolic link and then creates a file
beyond the symbolic link.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgit< 1:2.17.1-1ubuntu0.16UNKNOWN
ubuntu20.04noarchgit< 1:2.25.1-1ubuntu3.10UNKNOWN
ubuntu22.04noarchgit< 1:2.34.1-1ubuntu1.8UNKNOWN
ubuntu22.10noarchgit< 1:2.37.2-1ubuntu1.4UNKNOWN
ubuntu23.04noarchgit< 1:2.39.2-1ubuntu1UNKNOWN
ubuntu16.04noarchgit< 1:2.7.4-0ubuntu1.10+esm5) Available with Ubuntu Pro or Ubuntu Pro (Infra-onlyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	git	< 1:2.17.1-1ubuntu0.16	UNKNOWN
ubuntu	20.04	noarch	git	< 1:2.25.1-1ubuntu3.10	UNKNOWN
ubuntu	22.04	noarch	git	< 1:2.34.1-1ubuntu1.8	UNKNOWN
ubuntu	22.10	noarch	git	< 1:2.37.2-1ubuntu1.4	UNKNOWN
ubuntu	23.04	noarch	git	< 1:2.39.2-1ubuntu1	UNKNOWN
ubuntu	16.04	noarch	git	< 1:2.7.4-0ubuntu1.10+esm5) Available with Ubuntu Pro or Ubuntu Pro (Infra-only	UNKNOWN