CVE-2023-29007

Name of the Vulnerable Software and Affected Versions Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1

Description The issue is related to insufficient neutralization of special elements in a request, which can allow an attacker to execute arbitrary code. A specially crafted .gitmodules file with submodule URLs longer than 1024 characters can be used to exploit a bug in config.c::git config copy or rename section in file(). This bug can inject arbitrary configuration into a user's $GIT DIR/config when attempting to remove the configuration section associated with that submodule. The attacker can inject configuration values that specify executables to run, such as core.pager, core.editor, core.sshCommand, etc., leading to remote code execution.

Recommendations To resolve the issue, update to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1. As a temporary workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT DIR/config.