Main Vulnerability Database SB2023051772

SB2023051772 - Ubuntu update for git

Published: May 17, 2023 Updated: August 16, 2024

Security Bulletin ID SB2023051772

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Link following (CVE-ID: CVE-2023-25652)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue in "git apply --reject". A local user can create a specially crafted symbolic link to write files outside of the worktree.

2) Input validation error (CVE-ID: CVE-2023-29007)

The vulnerability allows an attacker to tamper with Git configuration.

The vulnerability exists due to insufficient input validation in "git submodule deinit" when renaming or deleting a section from a configuration file. A remote attacker can trick the victim into running the command a malicious configuration file and tamper with Git configuration on the affected system.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-6050-2