cbcvebase.
CVE-2023-25652
published 2023-04-25

CVE-2023-25652: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
52.16%
98.8th percentile
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
debiangit< git 1:2.39.5-0+deb12u1 (bookworm)git 1:2.39.5-0+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
git-scmgit< 2.30.92.30.9
git-scmgit
git-scmgit>= 2.31.0 < 2.31.82.31.8
git-scmgit>= 2.32.0 < 2.32.72.32.7
git-scmgit>= 2.33.0 < 2.33.82.33.8
git-scmgit>= 2.34.0 < 2.34.82.34.8
git-scmgit>= 2.35.0 < 2.35.82.35.8
git-scmgit>= 2.36.0 < 2.36.62.36.6
git-scmgit>= 2.37.0 < 2.37.72.37.7
git-scmgit>= 2.38.0 < 2.38.52.38.5
git-scmgit>= 2.39.0 < 2.39.32.39.3
gitgit< 2.30.92.30.9
gitgit
gitgit
gitgit
gitgit
gitgit
gitgit
gitgit
gitgit
gitgit
gitgit

Detection & IOCsextracted from sources · hover to see the quote

commandgit apply --reject
path*.rej
  • Monitor invocations of `git apply --reject` with patches sourced from untrusted or external inputs; path traversal outside the working tree via symlinked *.rej files is the exploitation primitive.
  • Detect the presence of symlinks whose name matches *.rej in the working tree before or after a `git apply` operation, as exploitation requires a link corresponding to the *.rej file to exist.
  • Use `git apply --stat` to inspect patches before applying them; flag any automated pipeline that skips this inspection step and directly invokes `git apply --reject`.
  • ·Vulnerable Git versions are prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1; ensure all Git installations are patched to one of these fixed versions.
  • ·MinGit bundled with Microsoft Visual Studio is also affected; Visual Studio installations consuming MinGit must be updated via the Visual Studio update channel.
  • ·The attack scope is local per Debian's tracker; exploitation requires the ability to supply a crafted patch to a `git apply --reject` invocation on the target system.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.