{"vulnerability": "CVE-2022-24765", "sightings": [{"uuid": "36bea4c0-26c5-4d99-ac22-ceca7055c98d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-24765", "type": "published-proof-of-concept", "source": "https://t.me/cKure/9345", "content": "\u25a0\u25a0\u25a1\u25a1\u25a1 CVE-2022-24765: This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim\u2019s current working directory. On Windows, for example, an attacker could create C:\\.git\\config, which would cause all git invocations that occur outside of a repository to read its configured values.\n\nhttps://github.blog/2022-04-12-git-security-vulnerability-announced/", "creation_timestamp": "2022-04-14T09:53:26.000000Z"}, {"uuid": "4fc2147a-7dfc-4f3e-9e20-e27335146229", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-24765", "type": "seen", "source": "https://t.me/cibsecurity/46093", "content": "\u203c CVE-2022-29187 \u203c\n\nGit is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-13T00:25:32.000000Z"}, {"uuid": "925951ee-1850-4402-a409-336705f32246", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-24765", "type": "seen", "source": "https://t.me/cibsecurity/40669", "content": "\u203c CVE-2022-24765 \u203c\n\nGit for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-04-12T22:17:09.000000Z"}, {"uuid": "6a83e56d-ea01-44a6-8dfe-7f78e75553f8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-24765", "type": "seen", "source": "https://gist.github.com/pablodevhub/f8ea59b974140db34110721bea7e940b", "content": "# Fix: `git submodule update` \u2014 *fatal: detected dubious ownership in repository*\n\n## Problema\n\nEseguendo comandi Git (es. `git submodule update`) su una directory di cui non si \u00e8 proprietari, Git restituisce il seguente errore:\n\n```\nfatal: detected dubious ownership in repository at 'C:/Users/username/source/myproject'\n```\n\nGit rifiuta di operare su repository in cui l'utente corrente non corrisponde al proprietario della directory.\n\n---\n\n## Soluzioni\n\n### 1. Aggiungere una directory specifica alla whitelist\n\nAggiunge solo il percorso indicato alla lista delle directory considerate sicure:\n\n```bash\ngit config --global --add safe.directory C:/Users/username/source/myproject\n```\n\nProduce nel file `.gitconfig`:\n\n```ini\n[safe]\n    directory = C:/Users/username/source/myproject\n```\n\n> Preferibile quando si vuole limitare l'eccezione a un singolo progetto.\n\n---\n\n### 2. Disabilitare il controllo per tutte le directory\n\nSegna qualsiasi directory come sicura, indipendentemente dalla propriet\u00e0:\n\n```bash\ngit config --global --add safe.directory *\n```\n\nProduce nel file `.gitconfig`:\n\n```ini\n[safe]\n    directory = *\n```\n\n> Adatto in ambienti controllati (es. macchine di sviluppo personali, container CI/CD) dove il controllo di ownership non \u00e8 necessario.\n\n---\n\n## File `.gitconfig`\n\nIl file si trova in:\n\n| OS      | Percorso                        |\n|---------|---------------------------------|\n| Windows | `C:\\Users\\\\.gitconfig` |\n| Linux / macOS | `~/.gitconfig`            |\n\n---\n\n## Riferimento\n\n- [Git docs \u2014 `safe.directory`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-safedirectory)\n- [GitHub Advisory \u2014 CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/)", "creation_timestamp": "2026-06-04T11:39:57.000000Z"}]}