CVE-2023-22742 — MEDIUM (5.3)

Q: How severe is CVE-2023-22742?

CVE-2023-22742 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22742?

Check the references section above for vendor advisories and patch information. Affected products include: Libgit2 Libgit2.

Vulnerability Description

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Libgit2	Libgit2	< 1.4.5

Related Weaknesses (CWE)

CWE-347

References

http://www.openwall.com/lists/oss-security/2023/11/06/5
https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50ePatchThird Party Advisory
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58PatchThird Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v1.4.5Release NotesThird Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v1.5.1Release NotesThird Party Advisory
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjqThird Party Advisory
https://www.libssh2.orgThird Party Advisory
http://www.openwall.com/lists/oss-security/2023/11/06/5
https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50ePatchThird Party Advisory
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58PatchThird Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v1.4.5Release NotesThird Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v1.5.1Release NotesThird Party Advisory
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjqThird Party Advisory
https://www.libssh2.orgThird Party Advisory

FAQ

What is CVE-2023-22742?

CVE-2023-22742 is a vulnerability with a CVSS score of 5.3 (MEDIUM). libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior version...

How severe is CVE-2023-22742?

CVE-2023-22742 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22742?

Check the references section above for vendor advisories and patch information. Affected products include: Libgit2 Libgit2.