CVE-2023-25815

CWE-22Path TraversalCWE-134Uncontrolled Format String11 documents7 sources
Severity
2.2LOW
EPSS
0.1%
top 72.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Git-for-windows GITGIT FOR Windows Project GIT FOR WindowsFedoraproject Fedora
Timeline
PublishedApr 25
Latest updateSep 19

Description

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:LExploitability: 0.8 | Impact: 2.5

Affected Packages5 packages

CVEListV5git-for-windows/git< 2.40.1
NVDgit< 2.40.1
Alpinegit< 2.32.7-r0+9
Debiangit< 1:2.30.2-1+deb11u3+3
Ubuntugit< 1:2.17.1-1ubuntu0.18+4

Also affects: Fedora 37, 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
git vulnerabilities2024-09-19
OSV
git vulnerabilities2023-05-01
CVEList
Git looks for localized messages in the wrong place2023-04-25
OSV
CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer2023-04-25
OSV
CVE-2023-25815: In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer2023-04-25

📋Vendor Advisories

5
Ubuntu
Git vulnerabilities2024-09-19
Microsoft
GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place2023-06-13
Ubuntu
Git vulnerabilities2023-05-01
Red Hat
git: malicious placement of crafted messages when git was compiled with runtime prefix2023-04-25
Debian
CVE-2023-25815: git - In Git for Windows, the Windows port of Git, no localized messages are shipped w...2023