CVE - CVE-2022-24765

CVE-ID
CVE-2022-24765	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://support.apple.com/kb/HT213261 CONFIRM:https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2 URL:https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2 FEDORA:FEDORA-2022-2a5de7cb8b URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/ FEDORA:FEDORA-2022-2fec5f30be URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/ FEDORA:FEDORA-2022-3759ebabd2 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/ FEDORA:FEDORA-2022-dfd7e7fc0e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/ FEDORA:FEDORA-2022-e99ae504f5 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/ FEDORA:FEDORA-2023-1068309389 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/ FEDORA:FEDORA-2023-3ec32f6d4e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/ FEDORA:FEDORA-2023-470c7ea49e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/ FEDORA:FEDORA-2023-e3c8abd37e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/ FULLDISC:20220516 APPLE-SA-2022-05-16-8 Xcode 13.4 URL:http://seclists.org/fulldisclosure/2022/May/31 GENTOO:GLSA-202312-15 URL:https://security.gentoo.org/glsa/202312-15 MISC:https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash URL:https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash MISC:https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode URL:https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode MLIST:[debian-lts-announce] 20221213 [SECURITY] [DLA 3239-1] git security update URL:https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html MLIST:[oss-security] 20220412 git v2.35.2 and friends for CVE-2022-24765 URL:http://www.openwall.com/lists/oss-security/2022/04/12/7
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20220210	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220210)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)