Vulnerability: Git provides patches for Windows and multi-user systems

Vulnerability reported by the GitHub version control platform on April 12, 2022 in the NIST National Vulnerability Database CVE-2022-24765 describes a potential vulnerability in local Git installations, which may particularly affect Git for Windows and multi-user systems. GitHub itself and its users are not directly affected by this, but the platform still recommends a quick update to the v2.35.2 maintenance release provided by Git.

Vulnerability in multi-user systems

As the CVE description shows, attackers on multi-user systems could create a .git directory at a shared level above the main working directory. On Windows, this opens the possibility of creating C:\.git\config, for example, so that all Git calls made outside of a repository read the values ​​configured there. Because some configuration variables like core.fsmonitor Git can cause arbitrary commands to be executed, attackers could inject their own commands into the system and trigger them. Git v2.35.2 does not allow switching to a top level git directory when accompanied by a user switch. The necessary deviations from this new behavior can be found in the also new safe.directory-Set configuration.

another in CVE-2022-24767 The described vulnerability that allows the placement of potentially malicious .dll files affects the Git Uninstaller for Windows. If the uninstaller of a system-Account running in the user’s temporary directory as usual, any authenticated user could inject .dll files into the process, since the default permissions of system allow this for C:\Windows\Temp. Git for Windows v2.35.2 close this gap.

More details about the vulnerabilities can be found in the GitHub Blog as well as in the Git Project Announcement of Maintenance Release v2.35.2which was released at the same time as other patches v2.30.3, v2.31.2, v2.32.1, v2.33.2 and v2.34.2.

(Map)