CVE-2022-41903
Vulnerability from cvelistv5
Published
2023-01-17 22:17
Modified
2025-03-10 21:21
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
References
security-advisories@github.comhttps://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_substVendor Advisory
security-advisories@github.comhttps://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncemVendor Advisory
security-advisories@github.comhttps://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76Patch, Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwqThird Party Advisory
security-advisories@github.comhttps://security.gentoo.org/glsa/202312-15
af854a3a-2127-422b-91ae-364da2661108https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_substVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncemVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76Patch, Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwqThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202312-15
Impacted products
Vendor Product Version
git git Version: < 2.30.7
Version: >= 2.31.0, < 2.31.6
Version: >= 2.32.0, < 2.32.5
Version: >= 2.33.0, < 2.33.6
Version: >= 2.34.0, < 2.34.6
Version: >= 2.35.0, < 2.35.6
Version: >= 2.36.0, < 2.36.4
Version: >= 2.37.0, < 2.37.5
Version: >= 2.38.0, < 2.38.3
Version: = 2.39.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T12:56:38.383Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq",
               },
               {
                  name: "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76",
               },
               {
                  name: "https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst",
               },
               {
                  name: "https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202312-15",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-41903",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-10T20:59:12.527761Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-10T21:21:50.039Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "git",
               vendor: "git",
               versions: [
                  {
                     status: "affected",
                     version: "< 2.30.7",
                  },
                  {
                     status: "affected",
                     version: ">= 2.31.0, < 2.31.6",
                  },
                  {
                     status: "affected",
                     version: ">= 2.32.0, < 2.32.5",
                  },
                  {
                     status: "affected",
                     version: ">= 2.33.0, < 2.33.6",
                  },
                  {
                     status: "affected",
                     version: ">= 2.34.0, < 2.34.6",
                  },
                  {
                     status: "affected",
                     version: ">= 2.35.0, < 2.35.6",
                  },
                  {
                     status: "affected",
                     version: ">= 2.36.0, < 2.36.4",
                  },
                  {
                     status: "affected",
                     version: ">= 2.37.0, < 2.37.5",
                  },
                  {
                     status: "affected",
                     version: ">= 2.38.0, < 2.38.3",
                  },
                  {
                     status: "affected",
                     version: "= 2.39.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-190",
                     description: "CWE-190: Integer Overflow or Wraparound",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-12-27T10:06:32.604Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq",
            },
            {
               name: "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76",
            },
            {
               name: "https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst",
            },
            {
               name: "https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem",
            },
            {
               url: "https://security.gentoo.org/glsa/202312-15",
            },
         ],
         source: {
            advisory: "GHSA-475x-2q3q-hvwq",
            discovery: "UNKNOWN",
         },
         title: "Integer overflow in `git archive`, `git log --format` leading to RCE in git",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-41903",
      datePublished: "2023-01-17T22:17:16.123Z",
      dateReserved: "2022-09-30T16:38:28.931Z",
      dateUpdated: "2025-03-10T21:21:50.039Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2022-41903\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-17T23:15:15.690\",\"lastModified\":\"2024-11-21T07:24:01.993\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.\"},{\"lang\":\"es\",\"value\":\"Git es un sistema de control de revisiones distribuido. `git log` puede mostrar confirmaciones en un formato arbitrario usando sus especificadores `--format`. Esta funcionalidad también está expuesta a \\\"git archive\\\" a través del atributo git \\\"export-subst\\\". Al procesar los operadores de relleno, hay un desbordamiento de enteros en `pretty.c::format_and_pad_commit()` donde `size_t` se almacena incorrectamente como `int` y luego se agrega como un desplazamiento a `memcpy()`. Este desbordamiento puede ser desencadenado directamente por un usuario que ejecuta un comando que invoca la maquinaria de formato de commit (por ejemplo, `git log --format=...`). También se puede activar indirectamente a través del archivo git mediante el mecanismo export-subst, que expande los especificadores de formato dentro de los archivos dentro del repositorio durante un archivo git. Este desbordamiento de enteros puede dar lugar a escrituras arbitrarias en el almacenamiento dinámico, lo que puede dar lugar a la ejecución de código arbitrario. El problema ha sido solucionado en las versiones publicadas el 17-01-2023, remontándose a la v2.30.7. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar \\\"git archive\\\" en repositorios que no sean de confianza. Si expone el archivo git a través de `git daemon`, desactívelo ejecutando `git config --global daemon.uploadArch false`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.30.6\",\"matchCriteriaId\":\"8D0B133C-FC2B-4CBF-8840-C85F6D650510\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.31.0\",\"versionEndIncluding\":\"2.31.5\",\"matchCriteriaId\":\"BA5113C4-D095-4E76-A6C6-F849E11DFA9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.32.0\",\"versionEndIncluding\":\"2.32.4\",\"matchCriteriaId\":\"B82E8E87-1083-45B9-A273-E6AB31548D56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.33.0\",\"versionEndIncluding\":\"2.33.5\",\"matchCriteriaId\":\"C9162726-CACE-4CB9-ACDE-204655D6BB3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.34.0\",\"versionEndIncluding\":\"2.34.5\",\"matchCriteriaId\":\"65D149AF-5604-4109-A60B-CB7B5BBBEE87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.35.0\",\"versionEndIncluding\":\"2.35.5\",\"matchCriteriaId\":\"383C057B-98D3-4AC6-9D43-AE13CC81FEC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.36.0\",\"versionEndIncluding\":\"2.36.3\",\"matchCriteriaId\":\"7B191BB2-D3C9-440D-8F7F-237BE0CBDB96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.37.0\",\"versionEndIncluding\":\"2.37.4\",\"matchCriteriaId\":\"E3F7AE8C-A383-442C-8E74-7BC13E8B251D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.38.0\",\"versionEndIncluding\":\"2.38.2\",\"matchCriteriaId\":\"28F8851A-1566-4F16-AEC4-2C09AC866C2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:git-scm:git:2.39.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC98AC76-7F3E-45A0-9DE6-3D097CEE5199\"}]}]}],\"references\":[{\"url\":\"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202312-15\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202312-15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\", \"name\": \"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\", \"name\": \"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\", \"name\": \"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\", \"name\": \"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202312-15\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:56:38.383Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41903\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:59:12.527761Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:59:13.878Z\"}}], \"cna\": {\"title\": \"Integer overflow in `git archive`, `git log --format` leading to RCE in git\", \"source\": {\"advisory\": \"GHSA-475x-2q3q-hvwq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"git\", \"product\": \"git\", \"versions\": [{\"status\": \"affected\", \"version\": \"< 2.30.7\"}, {\"status\": \"affected\", \"version\": \">= 2.31.0, < 2.31.6\"}, {\"status\": \"affected\", \"version\": \">= 2.32.0, < 2.32.5\"}, {\"status\": \"affected\", \"version\": \">= 2.33.0, < 2.33.6\"}, {\"status\": \"affected\", \"version\": \">= 2.34.0, < 2.34.6\"}, {\"status\": \"affected\", \"version\": \">= 2.35.0, < 2.35.6\"}, {\"status\": \"affected\", \"version\": \">= 2.36.0, < 2.36.4\"}, {\"status\": \"affected\", \"version\": \">= 2.37.0, < 2.37.5\"}, {\"status\": \"affected\", \"version\": \">= 2.38.0, < 2.38.3\"}, {\"status\": \"affected\", \"version\": \"= 2.39.0\"}]}], \"references\": [{\"url\": \"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\", \"name\": \"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\", \"name\": \"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\", \"name\": \"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\", \"name\": \"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://security.gentoo.org/glsa/202312-15\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-190\", \"description\": \"CWE-190: Integer Overflow or Wraparound\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-12-27T10:06:32.604Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-41903\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:21:50.039Z\", \"dateReserved\": \"2022-09-30T16:38:28.931Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-17T22:17:16.123Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.