PT-2023-1314 · Git+1 · Git Gui+1
Ycdxsb
·
Published
2023-01-17
·
Updated
2023-11-06
·
CVE-2022-41953
CVSS v3.1
8.6
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Git GUI versions prior to 2.39.1
Description
The issue is related to the Git GUI's function to clone repositories. Due to the design of Tcl on Windows, the search path for executables includes the current directory. This allows malicious repositories to ship with an
aspell.exe in their top-level directory, which is executed by Git GUI without giving the user a chance to inspect it first, resulting in the execution of untrusted code.Recommendations
For versions prior to 2.39.1, upgrade to version 2.39.1 or later to resolve the issue.
If upgrading is not viable, avoid using Git GUI for cloning.
As a temporary workaround, consider avoiding cloning from untrusted sources to minimize the risk of exploitation.
Exploit
Fix
Untrusted Search Path
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Git Gui