CVE-2023-29012

CWE-427CWE-233 documents3 sources
Severity
7.8HIGH
EPSS
0.1%
top 73.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Git-for-windows GITGIT FOR Windows Project GIT FOR Windows
Timeline
PublishedApr 25
Latest updateJun 13

Description

Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed `doskey.exe` would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaround, avoid using Git CMD or, if using Git CMD, avoid starting it in an untrusted directory.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 0.6 | Impact: 6.0

Affected Packages2 packages

CVEListV5git-for-windows/git< 2.40.1
NVDgit< 2.40.1

🔴Vulnerability Details

1
CVEList
Git CMD erroneously executes `doskey.exe` in the current directory, if it exists2023-04-25

📋Vendor Advisories

1
Microsoft
GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists2023-06-13