Security News > 2023 > January > Critical RCE vulnerabilities found in git (CVE-2022-41903, CVE-2022-23251)

A source code audit has revealed two critical vulnerabilities affecting git, the popular distributed version control system for collaborative software development.

Aside from the two critical issues, a high severity flaw has also been patched in the Git GUI for Windows.

"The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI," GitHub software engineer Taylor Blau explained, and advised git users to avoid using the Git GUI on Windows when cloning untrusted repositories.

"If you can't update immediately, reduce your risk by taking the following steps: Avoid invoking the -format mechanism directly with the known operators, and avoid running git archive in untrusted repositories, and if you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config -global daemon.uploadArch false," Blau advised.

The git source code audit was organized by the Open Source Technology Improvement Fund, and other efforts to improve git security are underway, they noted.

"We will be releasing the results of those efforts as each of these projects is completed. This coalition of efforts is unified through our shared interests in git and the critical role that it plays in the open source world," they added.

News URL

https://www.helpnetsecurity.com/2023/01/19/git-critical-vulnerabilities/