Git clone remote code execution vulnerability in git-for-windows
CVE-2022-41953

8.6HIGH

Key Information:

Vendor
Git-for-windows
Status
Git
Vendor
CVE Published:
17 January 2023

Summary

The Git GUI tool, part of Git for Windows, is designed for users who prefer a graphical interface over command-line interactions. A significant design flaw pertaining to the Tcl/Tk framework on Windows has been identified, allowing malicious repositories to include a crafted aspell.exe in their top-level directory. Consequently, when users clone such repositories, the Git GUI automatically processes this executable without prior user verification, resulting in unintended execution of potentially harmful code. This vulnerability has been resolved in version 2.39.1. Users are strongly encouraged to upgrade to the latest version or avoid using Git GUI for cloning repositories from untrusted sources.

Affected Version(s)

git < 2.39.1

References

https://github.com/git-for-windows/git/security/advisorie...
x_refsource_CONFIRM
https://github.com/git-for-windows/git/pull/4219
x_refsource_MISC
https://github.com/git-for-windows/git/commit/7360767e8df...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.