Cybersecurity researchers from X41 and GitLab have discovered three high-severity vulnerabilities in the Git distributed version control system.
The flaws could allow threat actors to run arbitrary code on targeted endpoints by exploiting a heap-based buffer overflow vulnerability, the researchers said. Of the three vulnerabilities, two already have patches, while the third has a workaround.
The two vulnerabilities that have been patched are tracked as CVE-2022-41903 and CVE-2022-23521.developer (opens in a new tab) Those wishing to protect their devices should update Git to version 2.30.7. The third one is tracked as CVE-2022-41953 and the workaround is to clone the repository without using the Git GUI software. According to BleepingComputer, another way to stay safe is to avoid cloning from untrusted sources altogether.
Patches and Workarounds
“The most serious issue discovered allowed an attacker to trigger heap-based memory corruption during clone or pull operations, which could lead to code execution. Another critical issue allowed code execution during archive operations, which is often performed by Git forgery,” Researchers Say (opens in a new tab) in their interpretation of events.
“Additionally, a large number of integer-related issues were found that could lead to denial-of-service situations, out-of-bounds reads, or corner cases where large inputs were mishandled.”
Git has released several additional versions, so to be on the safe side, make sure you’re running the latest version of Git – 2.39.1.
beep computer Note that those who cannot apply the patch immediately should disable “git archive” on untrusted repositories, or avoid running commands on untrusted repositories. Also, if “git archive” is exposed via “git daemon”, users should disable it when using untrusted repositories. It says this can be done with the command “git config –global daemon.upladArch false”.
“We strongly recommend that all installations running the version affected by the issue [..] Upgrade to the latest version as soon as possible,” GitLab warn (opens in a new tab).
pass: beep computer (opens in a new tab)