Vulnerability identifier: #VU72245
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-59
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Git
Client/Desktop applications /
Software for system administration
Vendor: Git
Description
The vulnerability allows an attacker to compromise the affected system.
The vulnerability exists due to application allows to overwrite files outside the working tree via the "git apply" command. A remote attacker can trick the victim to run the affected command against a malicious or compromised repository and overwrite arbitrary files on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Git: 2.30.0 - 2.39.1
External links
http://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
http://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.