Security News > 2023 > January > Git patches two critical remote code execution security flaws
Git has patched two critical severity security vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.
A third Windows-specific flaw impacting the Git GUI tool caused by an untrusted search path weakness enables unauthenticated threat actors to run untrusted code low-complexity attacks.
The first two vulnerabilities were patched on Wednesday in new versions going back to v2.30.7.
The third one, tracked as CVE-2022-41953, is still waiting for a patch, but users can work around the issue by not using the Git GUI software to clone repositories or avoid cloning from untrusted sources.
Security experts from X41 and GitLab found these vulnerabilities as part of a security source code audit of Git sponsored by OSTIF. "The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges," X41 security experts said.
In all cases, the most effective way to defend against attacks attempting to exploit these vulnerabilities is to upgrade to the latest Git release.
News URL
Related news
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- WordPress security plugin WP Ghost vulnerable to remote code execution bug (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code (source)
- Why remote work is a security minefield (and what you can do about it) (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-17 | CVE-2022-41953 | Unspecified vulnerability in Git-Scm GIT Git GUI is a convenient graphical tool that comes with Git for Windows. | 7.8 |