PT-2023-1239 · Git+10 · Git+10
Eric Sesterhenn
+1
·
Published
2023-01-17
·
Updated
2026-02-17
·
CVE-2022-23521
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Git versions prior to 2.30.7
Description
The issue is related to the gitattributes mechanism in Git, which allows defining attributes for paths. When parsing gitattributes, multiple integer overflows can occur due to a huge number of path patterns, a huge number of attributes for a single pattern, or huge declared attribute names. These overflows can be triggered via a crafted
.gitattributes file, potentially leading to arbitrary heap reads and writes, and may result in remote code execution. The failure mode depends on whether the file exists in the working tree, the index, or both.Recommendations
For Git versions prior to 2.30.7, upgrade to a version published on or after 2023-01-17 to resolve the issue. As a temporary workaround, consider restricting the use of the
.gitattributes file until a patch is applied. Avoid using huge numbers of path patterns, attributes for a single pattern, or huge declared attribute names in the .gitattributes file to minimize the risk of exploitation.Exploit
Fix
RCE
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Git
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu