Vulnerability Description
Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed `doskey.exe` would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaround, avoid using Git CMD or, if using Git CMD, avoid starting it in an untrusted directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Git For Windows Project | Git For Windows | < 2.40.1 |
Related Weaknesses (CWE)
References
- https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1Release Notes
- https://github.com/git-for-windows/git/security/advisories/GHSA-gq5x-v87v-8f7gVendor Advisory
- https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1Release Notes
- https://github.com/git-for-windows/git/security/advisories/GHSA-gq5x-v87v-8f7gVendor Advisory
FAQ
What is CVE-2023-29012?
CVE-2023-29012 is a vulnerability with a CVSS score of 7.2 (HIGH). Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerabili...
How severe is CVE-2023-29012?
CVE-2023-29012 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-29012?
Check the references section above for vendor advisories and patch information. Affected products include: Git For Windows Project Git For Windows.