#VU71240 Untrusted search path in Git for Windows - CVE-2022-41953
Published: January 17, 2023 / Updated: February 15, 2023
Vulnerability identifier: #VU71240
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-41953
CWE-ID: CWE-426
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Git for Windows
Git for Windows
Software vendor:
Git for Windows
Git for Windows
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure implementation of the Git GUI's Clone function, which automatically searches and executes the aspell.exe file after cloning the repository. A remote attacker can trick the victim into cloning a malicious repository and execute arbitrary code on the system by including the malicious aspell.exe file into the repository.
Remediation
Install updates from vendor's website.