CVE-2023-22742

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions libgit2 versions prior to 1.4.5 libgit2 versions prior to 1.5.1

Description The issue is related to the lack of certificate checking by default when using an SSH remote with the optional libssh2 backend in libgit2. This means that clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to update to a newer version to mitigate the risk. The certificate check field of libgit2's git remote callbacks structure must be set to perform certificate checking. If a certificate check callback is not set, libgit2 does not perform any certificate checking.

Recommendations For libgit2 versions prior to 1.4.5, update to version 1.4.5 or later. For libgit2 versions prior to 1.5.1, update to version 1.5.1 or later. As a temporary workaround, consider setting the certificate check field of libgit2's git remote callbacks structure to perform certificate checking. Users unable to upgrade should ensure that all relevant certificates are manually checked.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2023-1559

ALT-PU-2024-7165

AZL-13175

BDU:2023-00574

CVE-2023-22742

DLA-3340-1

GHSA-8643-3WH5-RMJQ

GHSA-M4CH-RFV5-X5G3

MGASA-2024-0059

OESA-2023-1957

OPENSUSE-SU-2024:12632-1

ROSA-SA-2023-2235

RUSTSEC-2023-0003

SUSE-SU-2023:1570-1

SUSE-SU-2023:1788-1

SUSE-SU-2023:1909-1

SUSE-SU-2023_1788-1

SUSE-SU-2023_1909-1

USN-6678-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Os

Suse

Ubuntu

Libgit2

Libssh2

CVE-2023-22742

Weakness Enumeration

Related Identifiers

Affected Products

References · 55