Configuration in libgit2 - CVE-2023-22742
Published: January 22, 2023 / Updated: February 13, 2023
Vulnerability identifier: #VU71412
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-22742
CWE-ID: CWE-16
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: libgit2.github.com
Affected software:
libgit2
libgit2
Detailed vulnerability description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to missing certificate validation in libgit2, when compiled using the optional, included libssh2 backend. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
How to mitigate CVE-2023-22742
Install updates from vendor's website.