Home

CVE-2022-29187

Description

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.063

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.30.4Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.31.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.32.2Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.33.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.34.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.35.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.36.1Windows
Vulnerabilities CVE-2022-29187 are affected in Git (X64) 2.37.0-rc2Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.30.4Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.31.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.32.2Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.33.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.34.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.35.3Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.36.1Windows
Vulnerabilities CVE-2022-29187 are affected in Git 2.37.0-rc2Windows
fast, scalable, distributed revision control system (USN-5511-1) git_2.25.1-1ubuntu3.5_i386.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.25.1-1ubuntu3.5_amd64.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.32.0-1ubuntu1.3_i386.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.32.0-1ubuntu1.3_amd64.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.34.1-1ubuntu1.4_i386.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.34.1-1ubuntu1.4_amd64.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.17.1-1ubuntu0.12_i386.debLinux
fast, scalable, distributed revision control system (USN-5511-1) git_2.17.1-1ubuntu0.12_amd64.debLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-core-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-core-debuginfo-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-cvs-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-daemon-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-daemon-debuginfo-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-debugsource-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-email-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-gui-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-svn-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) git-web-2.26.2-27.57.1.x86_64.rpmLinux
SUSE-SU-2022:2537-1(SUSE Linux Enterprise Server 12-SP5 ) gitk-2.26.2-27.57.1.x86_64.rpmLinux
git security update(DSA-5332-1) git_2.30.2-1+deb11u1_amd64.debLinux
(RHSA-2023:2319) git security and bug fix update git-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-all-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-core-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-core-doc-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-credential-libsecret-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-daemon-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-debugsource-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-email-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-gui-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-instaweb-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-subtree-2.39.1-1.el9.x86_64.rpmLinux
(RHSA-2023:2319) git security and bug fix update git-svn-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update gitk-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update gitweb-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update perl-Git-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2319) git security and bug fix update perl-Git-SVN-2.39.1-1.el9.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-all-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-core-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-core-doc-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-credential-libsecret-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-daemon-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-debugsource-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-email-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-gui-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-instaweb-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-subtree-2.39.1-1.el8.x86_64.rpmLinux
(RHSA-2023:2859) git security and bug fix update git-svn-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update gitk-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update gitweb-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update perl-Git-2.39.1-1.el8.noarch.rpmLinux
(RHSA-2023:2859) git security and bug fix update perl-Git-SVN-2.39.1-1.el8.noarch.rpmLinux
SUSE-SU-2022:2550-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) git-core-2.35.3-150300.10.15.1.x86_64_15_SP3.rpmLinux
SUSE-SU-2022:2550-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) perl-Git-2.35.3-150300.10.15.1.x86_64_15_SP3.rpmLinux
git Security Update (ALAS-2022-1820) git-subtree-2.37.1-1.amzn2.0.1.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234