CVE-2022-24765
Description
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder C:.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set GIT_PS1_SHOWDIRTYSTATE are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in C:.gitconfig. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder .git on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend GIT_CEILING_DIRECTORIES to cover the _parent_ directory of the user profile, e.g. C:Users if the user profile is located in C:Usersmy-user-name.
Risk Information
Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.176
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerability CVE-2022-24765,CVE-2022-24975 are affected in Git (x64) 2.35.1 | Windows |
| Vulnerability CVE-2022-24765,CVE-2022-24975 are affected in Git 2.35.1 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2017 15.9.46 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2017 15.9.46 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2017 15.9.46 | Windows |
| Vulnerabilities CVE-2022-24513,CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2019 16.7.27 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2019 16.11.12 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2019 16.9.19 | Windows |
| Vulnerabilities CVE-2022-24513,CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2019 16.7.27 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2019 16.11.12 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2019 16.9.19 | Windows |
| Vulnerabilities CVE-2022-24513,CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2019 16.7.27 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2019 16.11.12 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2019 16.9.19 | Windows |
| Vulnerabilities CVE-2020-8927,CVE-2021-43877,CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2022 17.1.4 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Community 2022 17.0.8 | Windows |
| Vulnerabilities CVE-2020-8927,CVE-2021-43877,CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2022 17.1.4 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Enterprise 2022 17.0.8 | Windows |
| Vulnerabilities CVE-2020-8927,CVE-2021-43877,CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2022 17.1.4 | Windows |
| Vulnerabilities CVE-2022-24765 are fixed in Microsoft Visual Studio Professional 2022 17.0.8 | Windows |
| Vulnerabilities CVE-2022-24765,CVE-2023-25652,CVE-2023-29007 are affected in Git (X64) 2.34.7 | Windows |
| Vulnerabilities CVE-2022-24765,CVE-2023-25652,CVE-2023-29007 are affected in Git 2.34.7 | Windows |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.25.1-1ubuntu3.4_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.25.1-1ubuntu3.4_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.32.0-1ubuntu1.2_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.32.0-1ubuntu1.2_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.17.1-1ubuntu0.11_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-1) git_2.17.1-1ubuntu0.11_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.25.1-1ubuntu3.4_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.25.1-1ubuntu3.4_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.32.0-1ubuntu1.2_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.32.0-1ubuntu1.2_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.34.1-1ubuntu1.2_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.34.1-1ubuntu1.2_amd64.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.17.1-1ubuntu0.11_i386.deb | Linux |
| fast, scalable, distributed revision control system (USN-5376-3) git_2.17.1-1ubuntu0.11_amd64.deb | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-core-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-core-debuginfo-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-cvs-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-daemon-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-daemon-debuginfo-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-debugsource-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-email-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-gui-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-svn-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) git-web-2.26.2-27.52.1.x86_64.rpm | Linux |
| SUSE-SU-2022:1306-1(SUSE Linux Enterprise Server 12-SP5 ) gitk-2.26.2-27.52.1.x86_64.rpm | Linux |
| git security update(DSA-5332-1) git_2.30.2-1+deb11u1_amd64.deb | Linux |
| (RHSA-2023:2319) git security and bug fix update git-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-all-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-core-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-core-doc-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-credential-libsecret-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-daemon-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-debugsource-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-email-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-gui-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-instaweb-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-subtree-2.39.1-1.el9.x86_64.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update git-svn-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update gitk-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update gitweb-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update perl-Git-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2319) git security and bug fix update perl-Git-SVN-2.39.1-1.el9.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-all-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-core-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-core-doc-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-credential-libsecret-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-daemon-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-debugsource-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-email-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-gui-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-instaweb-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-subtree-2.39.1-1.el8.x86_64.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update git-svn-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update gitk-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update gitweb-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update perl-Git-2.39.1-1.el8.noarch.rpm | Linux |
| (RHSA-2023:2859) git security and bug fix update perl-Git-SVN-2.39.1-1.el8.noarch.rpm | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-342450 | Git (x64) (2.47.0.2) |
| PATCH-342449 | Git (2.47.0.2) |
| PATCH-352878 | Git (x64) (2.51.2) |
| PATCH-350752 | Git (2.50.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234