CVE-2023-23946 in Visual Studio
Summary
by MITRE • 02/14/2023
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/08/2023
The vulnerability identified as CVE-2023-23946 represents a critical path traversal flaw in Git revision control system that affects multiple versions prior to the patched releases. This vulnerability specifically targets the `git apply` command which is commonly used to apply patch files to the working tree. The flaw allows maliciously crafted patch files to potentially overwrite files outside the intended working directory, creating a significant security risk for developers and organizations relying on Git for version control operations.
The technical implementation of this vulnerability stems from inadequate input validation within Git's patch application mechanism. When `git apply` processes a patch file, it fails to properly sanitize file paths that may contain directory traversal sequences such as ../ or ..\ that could navigate outside the intended target directory. This weakness enables attackers to craft patches that, when applied, write content to arbitrary locations on the filesystem accessible to the user running the git apply command. The vulnerability is classified under CWE-22 Path Traversal and aligns with ATT&CK technique T1059.006 Command and Scripting Interpreter: PowerShell, as it involves manipulation of file system operations through command-line interfaces.
The operational impact of this vulnerability extends beyond simple file overwrites, as it can potentially allow attackers to modify critical system files, configuration data, or even inject malicious code into the repository. An attacker who gains the ability to submit or modify patch files in a development environment could exploit this vulnerability to compromise the integrity of the version control system itself. The risk is particularly elevated in collaborative environments where multiple developers contribute patches or when automated systems apply patches from untrusted sources.
Organizations should immediately upgrade to the patched versions of Git including 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 to remediate this vulnerability. In the interim, administrators should implement the recommended workaround of using `git apply --stat` to inspect patches before application, which provides a statistical view of changes without executing them. Additionally, developers should avoid applying patches that create symbolic links followed by file creation operations beyond those symbolic links, as this pattern is particularly susceptible to exploitation. The vulnerability demonstrates the importance of proper input validation and sandboxing in version control systems, as even seemingly benign operations like applying patches can become attack vectors when proper security controls are not implemented.