Vulnerability identifier: #VU72245

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23946

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to application allows to overwrite files outside the working tree via the "git apply" command. A remote attacker can trick the victim to run the affected command against a malicious or compromised repository and overwrite arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.38.0 - 2.39.1, 2.37.0 - 2.37.5, 2.36.0 - 2.36.4, 2.35.0 - 2.35.6, 2.34.0 - 2.34.6, 2.33.0 - 2.33.6, 2.32.0 - 2.32.5, 2.31.0 - 2.31.6, 2.30.0 - 2.30.7

---

External links
http://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
http://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.