CVE-2023-23946

CVSS V2 None CVSS V3 None

Description

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Overview

CVE ID
CVE-2023-23946

Assigner
security-advisories@github.com

Vulnerability Status
Analyzed

Published Version
2023-02-14T20:15:17

Last Modified Date
2023-02-23T19:59:32

Weakness Enumerations

CWE	URL
CWE-22	http://cwe.mitre.org/data/definitions/22.html
CWE-22	http://cwe.mitre.org/data/definitions/22.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:git-scm:git::::::::	1	OR		2.30.8
cpe:2.3:a:git-scm:git::::::::	1	OR	2.31.0	2.31.7
cpe:2.3:a:git-scm:git::::::::	1	OR	2.32.0	2.32.6
cpe:2.3:a:git-scm:git::::::::	1	OR	2.33.0	2.33.7
cpe:2.3:a:git-scm:git::::::::	1	OR	2.34.0	2.34.7
cpe:2.3:a:git-scm:git::::::::	1	OR	2.35.0	2.35.7
cpe:2.3:a:git-scm:git::::::::	1	OR	2.36.0	2.36.5
cpe:2.3:a:git-scm:git::::::::	1	OR	2.37.0	2.37.6
cpe:2.3:a:git-scm:git::::::::	1	OR	2.38.0	2.38.4
cpe:2.3:a:git-scm:git::::::::	1	OR	2.39.0	2.39.2

References

Reference URL	Reference Tags
https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd	Patch
https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh	Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-23946
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 07:45:57				Added to TrackCVE
2023-04-17 07:45:58			Weakness Enumeration	new