CVE-2022-41953
published 2023-01-17CVE-2022-41953: Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line…
PriorityP343high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
6.80%
93.2th percentile
Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| git-for-windows | git | < 2.39.1 | 2.39.1 |
| git-scm | git | < 2.39.1 | 2.39.1 |
| msrc | cbl2_git_2.33.8-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_git_2.33.6-1_on_cbl_mariner_1.0 | — | — |
| msrc | microsoft_visual_studio_2017_version_15.9 | — | — |
| msrc | microsoft_visual_studio_2019_version_16.11 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.0 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.2 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.4 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
GitHub: CVE-2022-41953 Git GUI Clone Remote Code Execution Vulnerability
vendor_msrc·2023-02-14·CVSS 8.6
CVE-2023-41953 [HIGH] GitHub: CVE-2022-41953 Git GUI Clone Remote Code Execution Vulnerability
GitHub: CVE-2022-41953 Git GUI Clone Remote Code Execution Vulnerability
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Git for Windows software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Visual Studio: Visual Studio
Github: Github
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Release Notes
Reference: http://aka.ms/vs/15/release/latest
Reference: https://my
Microsoft
Git clone remote code execution vulnerability in git-for-windows
vendor_msrc·2023-01-10·CVSS 7.8
CVE-2022-41953 [HIGH] CWE-426 Git clone remote code execution vulnerability in git-for-windows
Git clone remote code execution vulnerability in git-for-windows
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference
No detection rules found.
No public exploits indexed.
https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39fhttps://github.com/git-for-windows/git/pull/4219https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99chttps://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39fhttps://github.com/git-for-windows/git/pull/4219https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99chttps://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23
2023-01-17
Published