CVE-2022-24765

CWE-427CWE-28310 documents8 sources
Severity
7.8HIGH
EPSS
0.2%
top 60.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Git-for-windows GITApple XcodeGit-scm GIT+3 more
Timeline
PublishedApr 12
Latest updateJul 13

Description

Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as we

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages6 packages

CVEListV5git-for-windows/git< 2.35.2
NVDapple/xcode< 13.4
NVDgit-scm/git< 2.35.2
Debiangit< 1:2.30.2-1+deb11u1+3
Ubuntugit< 1:2.17.1-1ubuntu0.12+2

Also affects: Fedora 34, 35, 36, 37, Debian Linux 10.0

🔴Vulnerability Details

3
OSV
git vulnerabilities2022-07-13
CVEList
Uncontrolled search for the Git directory in Git for Windows2022-04-12
OSV
CVE-2022-24765: Git for Windows is a fork of Git containing Windows-specific patches2022-04-12

📋Vendor Advisories

6
Red Hat
git: Bypass of safe.directory protections2022-07-12
Apple
CVE-2022-24765: Xcode 13.42022-05-16
Ubuntu
Git vulnerability2022-04-25
Microsoft
GitHub: Uncontrolled search for the Git directory in Git for Windows2022-04-12
Red Hat
git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree2022-04-12
CVE-2022-24765 (HIGH CVSS 7.8) | Git for Windows is a fork of Git co | cvebase.io