gitk can inadvertently call executables in the worktree
CVE-2023-23618

8.6HIGH

Key Information:

Vendor
Git-for-windows
Status
Git
Vendor
CVE Published:
14 February 2023

Summary

In Git for Windows versions prior to 2.39.2, the 'gitk' tool is susceptible to a vulnerability where it may inadvertently execute binaries from the current working directory. This occurrence can be exploited through social engineering techniques, allowing an attacker to trick users into executing harmful code. Users are advised to avoid using 'gitk' or the Visualize History option in Git GUI for untrusted repositories. An available patch in version 2.39.2 addresses this issue.

Affected Version(s)

git < 2.39.2

References

https://github.com/git-for-windows/git/security/advisorie...
x_refsource_CONFIRM
https://github.com/git-for-windows/git/commit/49a8ec9dac3...
x_refsource_MISC
https://github.com/git-for-windows/git/releases/tag/v2.39...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.