#VU68517 Input validation error in Git


Published: 2022-12-22 | Updated: 2023-05-29

Vulnerability identifier: #VU68517

Vulnerability risk: Low

CVSSv3.1: 2.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-39253

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the way Git handles hardlinks when performing a local clone. A remote attacker can trick the victim into clocking a malicious repository and create or copy hardlinks to critical files on the system, which can result in sensitive information exposure.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.38.0, 2.37.0 - 2.37.3, 2.36.0 - 2.36.2, 2.35.0 - 2.35.4, 2.34.0 - 2.34.4, 2.33.0 - 2.33.4, 2.32.0 - 2.32.3, 2.31.0 - 2.31.4, 2.30.0 - 2.30.5

External links
http://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Gentoo update for Git
Debian update for git
Multiple vulnerabilities in Dell Data Protection Central
Multiple vulnerabilities in Dell EMC SRM and Dell EMC Storage Monitoring and Reporting (SMR)
Multiple vulnerabilities in Dell NetWorker vProxy
VMware Tanzu products update for Git
Red Hat Enterprise Linux 8 update for git
Red Hat Enterprise Linux 9 update for git
Multiple vulnerabilities in Oracle Linux
Multiple vulnerabilities in Oracle Solaris third-party software