Vulnerability Details : CVE-2022-39253
Potential exploit
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
Products affected by CVE-2022-39253
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.38.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39253
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39253
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-39253
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-39253
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
[SECURITY] Fedora 35 Update: git-2.38.1-1.fc35 - package-announce - Fedora Mailing-Lists
-
https://support.apple.com/kb/HT213496
About the security content of Xcode 14.1 - Apple SupportThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
[SECURITY] Fedora 36 Update: git-2.38.1-1.fc36 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
[SECURITY] Fedora 37 Update: git-2.38.1-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/
[SECURITY] Fedora 37 Update: moby-engine-20.10.20-1.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://security.gentoo.org/glsa/202312-15
Git: Multiple Vulnerabilities (GLSA 202312-15) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/
[SECURITY] Fedora 37 Update: moby-engine-20.10.20-1.fc37 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2024/05/14/2
oss-security - git: 5 vulnerabilities fixed
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
[SECURITY] Fedora 36 Update: moby-engine-20.10.20-1.fc36 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
[SECURITY] [DLA 3239-1] git security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
[SECURITY] Fedora 36 Update: moby-engine-20.10.20-1.fc36 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2023/02/14/5
oss-security - [Announce] Git 2.39.2 and friendsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
[SECURITY] Fedora 36 Update: git-2.38.1-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
[SECURITY] Fedora 37 Update: git-2.38.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
Local clone optimization dereferences symbolic links by default · Advisory · git/git · GitHubMitigation;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
[SECURITY] Fedora 35 Update: git-2.38.1-1.fc35 - package-announce - Fedora Mailing-ListsMailing List
-
http://seclists.org/fulldisclosure/2022/Nov/1
Full Disclosure: APPLE-SA-2022-11-01-1 Xcode 14.1Mailing List;Third Party Advisory
Jump to