Main Vulnerability Database Vulnerabilities #VU75486

Input validation error in Git for Windows - CVE-2023-29007

Published: April 25, 2023 / Updated: August 16, 2024

Vulnerability identifier: #VU75486

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2023-29007

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Git for Windows

Affected software:
Git for Windows

Detailed vulnerability description

The vulnerability allows an attacker to tamper with Git configuration.

The vulnerability exists due to insufficient input validation in "git submodule deinit" when renaming or deleting a section from a configuration file. A remote attacker can trick the victim into running the command a malicious configuration file and tamper with Git configuration on the affected system.

How to mitigate CVE-2023-29007

Install updates from vendor's website.

Sources

https://github.com/git-for-windows/git/releases/tag/v2.39.3.windows.1
https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1
https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844

Input validation error in Git for Windows - CVE-2023-29007

Detailed vulnerability description

How to mitigate CVE-2023-29007

Sources

Please verify you're human