CVE-2023-25652

CWE-22Path Traversal10 documents7 sources
Severity
7.5HIGH
EPSS
1.8%
top 17.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GIT GITGit-scm GITFedoraproject Fedora
Timeline
PublishedApr 25
Latest updateJun 13

Description

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid us

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5git/git< 2.30.9+10
NVDgit-scm/git2.31.02.31.8+10
Debiangit< 1:2.30.2-1+deb11u3+3
Ubuntugit< 1:2.17.1-1ubuntu0.18+3

Also affects: Fedora 37, 38

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
git vulnerabilities2023-05-17
OSV
git vulnerabilities2023-05-01
OSV
CVE-2023-25652: Git is a revision control system2023-04-25
CVEList
"git apply --reject" partially-controlled arbitrary file write2023-04-25

📋Vendor Advisories

5
Microsoft
GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write2023-06-13
Ubuntu
Git vulnerabilities2023-05-17
Ubuntu
Git vulnerabilities2023-05-01
Red Hat
git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents2023-04-25
Debian
CVE-2023-25652: git - Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33...2023