SB2023021521 - Microsoft Visual Studio update for Git

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2022-23521)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the .gitattributes attributes. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.

2) Untrusted search path (CVE-ID: CVE-2022-41953)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure implementation of the Git GUI's Clone function, which automatically searches and  executes the aspell.exe file after cloning the repository. A remote attacker can trick the victim into cloning a malicious repository and execute arbitrary code on the system by including the malicious aspell.exe file into the repository.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23521
• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41953
• https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c