CVE-2023-23946

CWE-22 — Path Traversal8 documents7 sources

Severity

7.5HIGH

EPSS

1.7%

top 17.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GIT GIT Git-scm GIT

Timeline

PublishedFeb 14

Latest updateMar 14

Description

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch befo…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.5 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5git/git< 2.30.8+9

▶NVDgit-scm/git2.31.0 — 2.31.7+9

▶Debiangit< 1:2.30.2-1+deb11u2+3

▶Ubuntugit< 1:2.17.1-1ubuntu0.16+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Git's `git apply` overwriting paths outside the working tree↗2023-02-14

▶

OSV

git vulnerabilities↗2023-02-14

▶

OSV

CVE-2023-23946: Git, a revision control system, is vulnerable to path traversal prior to versions 2↗2023-02-14

▶

📋Vendor Advisories

Microsoft

GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability↗2023-03-14

▶

Ubuntu

Git vulnerabilities↗2023-02-14

▶

Red Hat

git: git apply: a path outside the working tree can be overwritten with crafted input↗2023-02-14

▶

Debian

CVE-2023-23946: git - Git, a revision control system, is vulnerable to path traversal prior to version...↗2023

▶