CVE-2023-25815
published 2023-04-25CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages…
PriorityP411low2.2CVSS 3.1
AVLACHPRLUIRSUCNILAN
EPSS
1.05%
60.2th percentile
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.
This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | < git 1:2.39.5-0+deb12u1 (bookworm) | git 1:2.39.5-0+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| git-for-windows | git | < 2.40.1 | 2.40.1 |
| git | git | >= 0 < 2.32.7-r0 | 2.32.7-r0 |
| git | git | >= 0 < 2.34.8-r0 | 2.34.8-r0 |
| git | git | >= 0 < 2.36.6-r0 | 2.36.6-r0 |
| git | git | >= 0 < 2.38.5-r0 | 2.38.5-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 2.40.1-r0 | 2.40.1-r0 |
| git | git | >= 0 < 1:2.30.2-1+deb11u3 | 1:2.30.2-1+deb11u3 |
| git | git | >= 0 < 1:2.39.5-0+deb12u1 | 1:2.39.5-0+deb12u1 |
| git | git | >= 0 < 1:2.40.1-1 | 1:2.40.1-1 |
| git | git | >= 0 < 1:2.40.1-1 | 1:2.40.1-1 |
| git | git | >= 0 < 1:2.17.1-1ubuntu0.18 | 1:2.17.1-1ubuntu0.18 |
| git | git | >= 0 < 1:2.25.1-1ubuntu3.11 | 1:2.25.1-1ubuntu3.11 |
| git | git | >= 0 < 1:2.34.1-1ubuntu1.9 | 1:2.34.1-1ubuntu1.9 |
| git | git | >= 0 < 1:2.7.4-0ubuntu1.10+esm8 | 1:2.7.4-0ubuntu1.10+esm8 |
| git | git | >= 0 < 1:2.17.1-1ubuntu0.18+esm1 | 1:2.17.1-1ubuntu0.18+esm1 |
| git_for_windows_project | git_for_windows | < 2.40.1 | 2.40.1 |
| msrc | microsoft_visual_studio_2017_version_15.9 | — | — |
CVSS provenance
nvdv3.12.2LOWCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian3.3LOW
vendor_msrc3.3HIGH
vendor_redhat3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
git vulnerabilities
osv·2024-09-19·CVSS 2.2
CVE-2023-25815 [LOW] git vulnerabilities
git vulnerabilities
Maxime Escourbiac and Yassine Bengana discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. This issue was fixed
in Ubuntu 16.04 LTS. (CVE-2023-25815)
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code. This
issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32004, CVE-2024-32465)
It was discovered that Git incorrectly handled local clones with hardlinked
files/directories. An attac
OSV
git vulnerabilities
osv·2023-05-01·CVSS 7.5
CVE-2023-25652 [HIGH] git vulnerabilities
git vulnerabilities
It was discovered that Git incorrectly handled certain commands.
An attacker could possibly use this issue to overwriting some paths.
(CVE-2023-25652)
Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. (CVE-2023-25815)
André Baptista and Vítor Pinho discovered that Git incorrectly handled
certain configurations. An attacker could possibly use this issue
to arbitrary configuration injection. (CVE-2023-29007)
OSV
CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer
osv·2023-04-25·CVSS 2.2
CVE-2023-25815 [LOW] CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.
This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message a
OSV
CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer
osv·2023-04-25·CVSS 2.2
CVE-2023-25815 [LOW] CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at
Ubuntu
Git vulnerabilities
vendor_ubuntu·2024-09-19·CVSS 3.3
CVE-2024-32021 [LOW] Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
Maxime Escourbiac and Yassine Bengana discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. This issue was fixed
in Ubuntu 16.04 LTS. (CVE-2023-25815)
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code. This
issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32004, CVE-2024-32465)
It was discovered that Git incorrectly hand
Microsoft
GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place
vendor_msrc·2023-06-13·CVSS 3.3
CVE-2023-25815 [LOW] GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place
GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Git for Windows software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Visual Studio: Visual Studio
GitHub: GitHub
Customer Action Required: Yes
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Remediation: Release Notes
Reference: http://aka.ms/vs/15/release/latest
Reference: https://docs.microsoft.
Ubuntu
Git vulnerabilities
vendor_ubuntu·2023-05-01·CVSS 7.5
CVE-2023-25815 [HIGH] Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
It was discovered that Git incorrectly handled certain commands.
An attacker could possibly use this issue to overwriting some paths.
(CVE-2023-25652)
Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. (CVE-2023-25815)
André Baptista and Vítor Pinho discovered that Git incorrectly handled
certain configurations. An attacker could possibly use this issue
to arbitrary configuration injection. (CVE-2023-29007)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: malicious placement of crafted messages when git was compiled with runtime prefix
vendor_redhat·2023-04-25·CVSS 3.3
CVE-2023-25815 [LOW] git: malicious placement of crafted messages when git was compiled with runtime prefix
git: malicious placement of crafted messages when git was compiled with runtime prefix
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.
This vulnerability is relative
Debian
CVE-2023-25815: git - In Git for Windows, the Windows port of Git, no localized messages are shipped w...
vendor_debian·2023·CVSS 3.3
CVE-2023-25815 [LOW] CVE-2023-25815: git - In Git for Windows, the Windows port of Git, no localized messages are shipped w...
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at
No detection rules found.
No public exploits indexed.
CWE
Uncontrolled Search Path Element
mitre_cwe
CWE-427 Uncontrolled Search Path Element
CWE-427: Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as "/tmp" or the current working directory. In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: the directory from which the program has been loaded the current wor
CWE
Incorrect Initialization of Resource
mitre_cwe
CWE-1419 Incorrect Initialization of Resource
CWE-1419: Incorrect Initialization of Resource
The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.
This can have security implications when the associated resource is expected to have certain properties or values. Examples include a variable that determines whether a user has been authenticated or not, or a register or fuse value that determines the security state of the product. For software, this weakness can frequently occur when implicit initialization is used, meaning the resource is not explicitly set to a specific value. For example, in C, memory is not necessarily cleared when it is allocated on the stack, and many scripting languages use a default empty, nul
http://www.openwall.com/lists/oss-security/2023/04/25/2https://axcheron.github.io/exploit-101-format-strings/#writing-to-the-stackhttps://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8https://github.com/msys2/MINGW-packages/pull/10461https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/https://pubs.opengroup.org/onlinepubs/9699919799/functions/printf.htmlhttps://security.gentoo.org/glsa/202312-15http://www.openwall.com/lists/oss-security/2023/04/25/2https://axcheron.github.io/exploit-101-format-strings/#writing-to-the-stackhttps://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8https://github.com/msys2/MINGW-packages/pull/10461https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/https://pubs.opengroup.org/onlinepubs/9699919799/functions/printf.htmlhttps://security.gentoo.org/glsa/202312-15
2023-04-25
Published