Integer overflow in Git for Windows

#VU71239 Integer overflow in Git for Windows

Cybersecurity Help s.r.o.

Published: 2023-01-17 | Updated: 2023-02-15

Vulnerability identifier: #VU71239

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23521

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git for Windows
Other software / Other software solutions

Vendor: Git for Windows

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the .gitattributes attributes. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git for Windows: 2.0.0 - 2.39.0.2

External links
http://github.com/git-for-windows/git/releases/tag/v2.39.1.windows.1
http://github.com/git-for-windows/git/releases/tag/v2.35.6.windows.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for git

Gentoo update for Git

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Debian update for git

Fedora 37 update for git

Fedora 36 update for git

Multiple vulnerabilities in Dell Data Protection Central

Multiple vulnerabilities in Dell EMC SRM and Dell EMC Storage Monitoring and Reporting (SMR)

Multiple vulnerabilities in Dell XtremIO X2

Multiple vulnerabilities in IBM QRadar SIEM