Jan 18, 2023Ravie Lakshmanan
The maintainers of the Git[1]
source code version control system have released updates to
remediate two critical vulnerabilities that could be exploited by a
malicious actor to achieve remote code execution.
The flaws, tracked as CVE-2022-23521[2] and CVE-2022-41903[3], impacts the following
versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5,
v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
Patched versions include v2.30.7, v2.31.6, v2.32.5, v2.33.6,
v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. X41 D-Sec
security researchers Markus Vervier and Eric Sesterhenn as well as
GitLab’s Joern Schneeweisz have been credited with reporting the
bugs.
“The most severe issue discovered allows an attacker to trigger
a heap-based memory corruption during clone or pull operations,
which might result in code execution,” the German cybersecurity
company said[4]
of CVE-2022-23521.
CVE-2022-41903, also a critical vulnerability, is triggered
during an archive operation, leading to code execution by way of an
integer overflow flaw that arises when formatting the commit
logs.
“Additionally, a huge number of integer related issues was
identified which may lead to denial-of-service situations,
out-of-bound reads or simply badly handled corner cases on large
input,” X41 D-Sec noted.
While there are no workarounds for CVE-2022-23521, Git is
recommending that users disable “git archive” in untrusted
repositories as a mitigation for CVE-2022-41903 in scenarios where
updating to the latest version is not an option.
GitLab, in a coordinated advisory, said[5]
it has released versions 15.7.5, 15.6.6, and 15.5.9 for GitLab
Community Edition (CE) and Enterprise Edition (EE) to address the
shortcomings, urging customers to apply the fixes with immediate
effect.
Found this article interesting? Follow us on Twitter [6]
and LinkedIn[7]
to read more exclusive content we post.
References
Read more https://thehackernews.com/2023/01/git-users-urged-to-update-software-to.html