Security News > 2022 > April > Git for Windows issues update to fix running-someone-else’s-code vuln

Git for Windows issues update to fix running-someone-else’s-code vuln
2022-04-13 13:00

After a hefty Patch Tuesday comes news of an update for Git to deal with a vulnerability for the source shack when run on Microsoft's Windows.

The update is solely concerned with CVE-2022-24765, an interesting bug which afflicts the Git for Windows fork of Git.

In this case, the miscreants would only need to create the folder c:.git, "Which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory," according to NIST. The result is that Git would use the config in the directory.

"Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.".

The Git team was little blunter about the vulnerability, and warned that "Merely having a Git-aware prompt that runs 'git status' and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user."

To deal with the issue, the Git team recommends an update.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/04/13/git_vuln/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-04-12 CVE-2022-24765 Uncontrolled Search Path Element vulnerability in multiple products
Git for Windows is a fork of Git containing Windows-specific patches.
local
low complexity
git-scm fedoraproject apple debian CWE-427
7.8
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
GIT 2 0 3 4 1 8