Severity
Medium
Analysis Summary
CVE-2023-22490 CVSS:5.5
Git could allow a local attacker to launch a symlink attack, caused by a flaw in the $GIT_DIR/objects directory. An attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to read arbitrary files on the system.
CVE-2023-22743 CVSS:7.2
Git for Windows could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL hijacking when run under the SYSTEM user account. By placing a specially-crafted DLL file, an attacker could exploit this vulnerability to execute arbitrary code> on the system with SYSTEM privileges.
CVE-2023-23618 CVSS:8.6
Git for Windows could allow a local attacker to execute arbitrary code on the system, caused by a flaw in the gitk. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-23946 CVSS:6.2
Git could allow a local attacker to traverse directories on the system, caused by improper validation of user request by “git apply”. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to overwrite arbitrary files on the system.
Impact
- Information Disclosure
- Code Execution
Indicators Of Compromise
CVE
- CVE-2023-22490
- CVE-2023-22743
- CVE-2023-23618
- CVE-2023-23946
Affected Vendors
GitHUB
Affected Products
- Git 2.30.7
- Git 2.31.6
- Git 2.32.5
- Git 2.33.6
- Git 2.34.6
- Git 2.35.6
- Git 2.38.3
- Git for Windows 2.35.1.2
- Git for Windows 2.39.1
- Git 2.30.0
- Git 2.38.0
- Git 2.39
- Git 2.39.1
- Git 2.31.0
- Git 2.32.0
- Git 2.33.0
- Git 2.34.0
- Git 2.35.0
Remediation
Refer to GIT Repository for patch, upgrade or suggested workaround information.