Git Vulnerability: Path Traversal Flaw Affects Multiple Versions

CVE-2023-23946

What is CVE-2023-23946?

CVE-2023-23946 is a critical vulnerability found in Git, a widely used revision control system essential for managing and tracking changes in software development projects. The vulnerability involves a path traversal flaw that allows an attacker to overwrite files outside of the intended working directory by manipulating crafted inputs through the git apply function. This flaw can significantly compromise an organization’s source code integrity and security, potentially leading to unauthorized access to sensitive data or disruption of software development processes.

Technical Details

The vulnerability affects multiple versions of Git prior to the patched releases, specifically versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. Attackers exploit this flaw by providing specially crafted input that tricks the system into overwriting files, facilitated through a vulnerability in the handling of symbolic links. The recommended workaround involves cautiously inspecting patches using the git apply --stat command before applying them, thus avoiding risky symbolic link operations that could lead to file overwriting.

Potential impact of CVE-2023-23946

1. Data Integrity Compromise: The vulnerability could lead to the alteration or deletion of critical files in the repository, affecting the integrity of the organization's codebase and potentially introducing errors or malicious code.

2. Unauthorized Access to Sensitive Files: By exploiting this flaw, attackers may gain unintended access to sensitive files stored beyond the working tree, increasing the risk of data breaches and unauthorized information disclosure.

3. Disruption of Software Development: The ability to overwrite files can disrupt regular software development workflows, causing delays, loss of important functionalities, and requiring extensive cleanup efforts to restore affected systems.

References