Main Vulnerability Database SB2023012216

SB2023012216 - MitM attack in libgit2

Published: January 22, 2023 Updated: February 13, 2023

Security Bulletin ID SB2023012216

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Configuration (CVE-ID: CVE-2023-22742)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing certificate validation in libgit2, when compiled using the optional, included libssh2 backend. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.

Remediation

Install update from vendor's website.

SB2023012216 - MitM attack in libgit2

Breakdown by Severity

Description

Remediation

References