CVE-2022-39260 — HIGH (8.5)

Q: How severe is CVE-2022-39260?

CVE-2022-39260 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39260?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Fedoraproject Fedora, Apple Xcode, Debian Debian Linux.

Vulnerability Description

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

CVSS Score

8.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Git-Scm	Git	< 2.30.6
Fedoraproject	Fedora	35
Apple	Xcode	< 14.1
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-122 CWE-787

References

http://seclists.org/fulldisclosure/2022/Nov/1Mailing ListThird Party Advisory
https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6MitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00025.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202312-15
https://support.apple.com/kb/HT213496Third Party Advisory
http://seclists.org/fulldisclosure/2022/Nov/1Mailing ListThird Party Advisory
https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6MitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00025.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202312-15

FAQ

What is CVE-2022-39260?

CVE-2022-39260 is a vulnerability with a CVSS score of 8.5 (HIGH). Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to ...

How severe is CVE-2022-39260?

CVE-2022-39260 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39260?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Fedoraproject Fedora, Apple Xcode, Debian Debian Linux.