PT-2023-1314 · Git+1 · Git Gui+1
Ycdxsb
·
Publicado
2023-01-17
·
Atualizado
2023-11-06
·
CVE-2022-41953
CVSS v3.1
8.6
Alta
| Vetor | AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Git GUI versions prior to 2.39.1
Description
The issue is related to the Git GUI's function to clone repositories. Due to the design of Tcl on Windows, the search path for executables includes the current directory. This allows malicious repositories to ship with an
aspell.exe in their top-level directory, which is executed by Git GUI without giving the user a chance to inspect it first, resulting in the execution of untrusted code.Recommendations
For versions prior to 2.39.1, upgrade to version 2.39.1 or later to resolve the issue.
If upgrading is not viable, avoid using Git GUI for cloning.
As a temporary workaround, consider avoiding cloning from untrusted sources to minimize the risk of exploitation.
Exploit
Correção
Untrusted Search Path
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Git Gui