CVE-2023-23946
published 2023-02-14CVE-2023-23946: Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.14%
62.7th percentile
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | < git 1:2.39.2-1 (bookworm) | git 1:2.39.2-1 (bookworm) |
| git-scm | git | < 2.30.8 | 2.30.8 |
| git-scm | git | >= 2.31.0 < 2.31.7 | 2.31.7 |
| git-scm | git | >= 2.32.0 < 2.32.6 | 2.32.6 |
| git-scm | git | >= 2.33.0 < 2.33.7 | 2.33.7 |
| git-scm | git | >= 2.34.0 < 2.34.7 | 2.34.7 |
| git-scm | git | >= 2.35.0 < 2.35.7 | 2.35.7 |
| git-scm | git | >= 2.36.0 < 2.36.5 | 2.36.5 |
| git-scm | git | >= 2.37.0 < 2.37.6 | 2.37.6 |
| git-scm | git | >= 2.38.0 < 2.38.4 | 2.38.4 |
| git-scm | git | >= 2.39.0 < 2.39.2 | 2.39.2 |
| git | git | < 2.30.8 | 2.30.8 |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | >= 0 < 1:2.30.2-1+deb11u2 | 1:2.30.2-1+deb11u2 |
| git | git | >= 0 < 1:2.39.2-1 | 1:2.39.2-1 |
| git | git | >= 0 < 1:2.39.2-1 | 1:2.39.2-1 |
| git | git | >= 0 < 1:2.39.2-1 | 1:2.39.2-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian6.2MEDIUM
vendor_msrc6.2HIGH
vendor_redhat6.2MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SCALANCE XCM-/XRM-300
cisa_ics·2024-02-15
Siemens SCALANCE XCM-/XRM-300
ICS Advisory
##
Siemens SCALANCE XCM-/XRM-300
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM-/XRM-300
- Vulnerabilities: Out-of-bounds Write, Incorrect Type Conversion or Cast, Improper Verification of Cryptographic Signature, Improper Access Control, Improper Authentication, Missing Encryption
Microsoft
GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability
vendor_msrc·2023-03-14·CVSS 6.2
CVE-2023-23946 [MEDIUM] GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability
GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in MinGit software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Visual Studio: Visual Studio
GitHub: GitHub
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Release Notes
Reference: http://aka.ms/vs/15/release/latest
Reference: https://my.visualstudio.co
Ubuntu
Git vulnerabilities
vendor_ubuntu·2023-02-14·CVSS 5.5
CVE-2023-23946 [MEDIUM] Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
It was discovered that Git incorrectly handled certain repositories.
An attacker could use this issue to make Git uses its local
clone optimization even when using a non-local transport.
(CVE-2023-22490)
Joern Schneeweisz discovered that Git incorrectly handled certain commands.
An attacker could possibly use this issue to overwrite a patch outside
the working tree. (CVE-2023-23946)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: git apply: a path outside the working tree can be overwritten with crafted input
vendor_redhat·2023-02-14·CVSS 6.2
CVE-2023-23946 [MEDIUM] CWE-22 git: git apply: a path outside the working tree can be overwritten with crafted input
git: git apply: a path outside the working tree can be overwritten with crafted input
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
A vulnerability was found in Git. This security issue occurs when feeding a crafted input to "git app
Debian
CVE-2023-23946: git - Git, a revision control system, is vulnerable to path traversal prior to version...
vendor_debian·2023·CVSS 6.2
CVE-2023-23946 [MEDIUM] CVE-2023-23946: git - Git, a revision control system, is vulnerable to path traversal prior to version...
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
Scope: local
bookworm: resolved (fixed in 1:2.39.2-1)
bullseye: resolved (fixed in 1:2.30.2-1+deb11u2)
forky: resolved (fixed in 1:2.39.2-1)
sid: resolved (fixed in 1:2.39.2-1)
trixie: reso
OSV
git vulnerabilities
osv·2023-02-14·CVSS 5.5
CVE-2023-22490 [MEDIUM] git vulnerabilities
git vulnerabilities
It was discovered that Git incorrectly handled certain repositories.
An attacker could use this issue to make Git uses its local
clone optimization even when using a non-local transport.
(CVE-2023-22490)
Joern Schneeweisz discovered that Git incorrectly handled certain commands.
An attacker could possibly use this issue to overwrite a patch outside
the working tree. (CVE-2023-23946)
OSV
CVE-2023-23946: Git, a revision control system, is vulnerable to path traversal prior to versions 2
osv·2023-02-14·CVSS 7.5
CVE-2023-23946 [HIGH] CVE-2023-23946: Git, a revision control system, is vulnerable to path traversal prior to versions 2
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfdhttps://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfhhttps://security.gentoo.org/glsa/202312-15https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfdhttps://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfhhttps://security.gentoo.org/glsa/202312-15
2023-02-14
Published