Git prior 2.37.4 Local Clone information disclosure

Summaryinfo

A vulnerability classified as problematic has been found in Git. Impacted is an unknown function of the component Local Clone Handler. This manipulation causes information disclosure. This vulnerability is tracked as CVE-2022-39253. The attack is restricted to local execution. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Git (Versioning Software). It has been declared as problematic. Affected by this vulnerability is some unknown processing of the component Local Clone Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. The summary by CVE is:

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

The weakness was disclosed 10/19/2022 as GHSA-3wp6-j8xr-qw85. The advisory is shared at github.com. This vulnerability is known as CVE-2022-39253 since 09/02/2022. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 211059 (Fedora 37 : git (2022-fb088df94c)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 or 2.37.4 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (211059). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Versioning Software

Name

• Git

License

• open-source

Website

• Product: https://github.com/git/git/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion