var-202207-0791
Vulnerability from variot
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. Git contains an uncontrolled search path element vulnerability. This vulnerability is CVE-2022-24765 And related vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ========================================================================== Ubuntu Security Notice USN-5511-1 July 13, 2022
git vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Git could be made to run arbitrary commands as an administrator if it received specially crafted inputs. An attacker could possibly use this issue to run arbitrary commands as administrator. (CVE-2022-29187)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS: git 1:2.34.1-1ubuntu1.4
Ubuntu 21.10: git 1:2.32.0-1ubuntu1.3
Ubuntu 20.04 LTS: git 1:2.25.1-1ubuntu3.5
Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.12
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: git security and bug fix update Advisory ID: RHSA-2023:2319-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2319 Issue date: 2023-05-09 CVE Names: CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 ==================================================================== 1. Summary:
An update for git is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
- As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
-
git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree (CVE-2022-24765)
-
git: Bypass of safe.directory protections (CVE-2022-29187)
-
git: exposure of sensitive information to a malicious actor (CVE-2022-39253)
-
git: git shell function that splits command arguments can lead to arbitrary heap writes. (CVE-2022-39260)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2073414 - CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree 2107439 - CVE-2022-29187 git: Bypass of safe.directory protections 2137422 - CVE-2022-39253 git: exposure of sensitive information to a malicious actor 2137423 - CVE-2022-39260 git: git shell function that splits command arguments can lead to arbitrary heap writes. 2139379 - Rebase git to 2.39 version [rhel-9.2]
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source: git-2.39.1-1.el9.src.rpm
aarch64: git-2.39.1-1.el9.aarch64.rpm git-core-2.39.1-1.el9.aarch64.rpm git-core-debuginfo-2.39.1-1.el9.aarch64.rpm git-credential-libsecret-2.39.1-1.el9.aarch64.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.aarch64.rpm git-daemon-2.39.1-1.el9.aarch64.rpm git-daemon-debuginfo-2.39.1-1.el9.aarch64.rpm git-debuginfo-2.39.1-1.el9.aarch64.rpm git-debugsource-2.39.1-1.el9.aarch64.rpm git-subtree-2.39.1-1.el9.aarch64.rpm
noarch: git-all-2.39.1-1.el9.noarch.rpm git-core-doc-2.39.1-1.el9.noarch.rpm git-email-2.39.1-1.el9.noarch.rpm git-gui-2.39.1-1.el9.noarch.rpm git-instaweb-2.39.1-1.el9.noarch.rpm git-svn-2.39.1-1.el9.noarch.rpm gitk-2.39.1-1.el9.noarch.rpm gitweb-2.39.1-1.el9.noarch.rpm perl-Git-2.39.1-1.el9.noarch.rpm perl-Git-SVN-2.39.1-1.el9.noarch.rpm
ppc64le: git-2.39.1-1.el9.ppc64le.rpm git-core-2.39.1-1.el9.ppc64le.rpm git-core-debuginfo-2.39.1-1.el9.ppc64le.rpm git-credential-libsecret-2.39.1-1.el9.ppc64le.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.ppc64le.rpm git-daemon-2.39.1-1.el9.ppc64le.rpm git-daemon-debuginfo-2.39.1-1.el9.ppc64le.rpm git-debuginfo-2.39.1-1.el9.ppc64le.rpm git-debugsource-2.39.1-1.el9.ppc64le.rpm git-subtree-2.39.1-1.el9.ppc64le.rpm
s390x: git-2.39.1-1.el9.s390x.rpm git-core-2.39.1-1.el9.s390x.rpm git-core-debuginfo-2.39.1-1.el9.s390x.rpm git-credential-libsecret-2.39.1-1.el9.s390x.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.s390x.rpm git-daemon-2.39.1-1.el9.s390x.rpm git-daemon-debuginfo-2.39.1-1.el9.s390x.rpm git-debuginfo-2.39.1-1.el9.s390x.rpm git-debugsource-2.39.1-1.el9.s390x.rpm git-subtree-2.39.1-1.el9.s390x.rpm
x86_64: git-2.39.1-1.el9.x86_64.rpm git-core-2.39.1-1.el9.x86_64.rpm git-core-debuginfo-2.39.1-1.el9.x86_64.rpm git-credential-libsecret-2.39.1-1.el9.x86_64.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.x86_64.rpm git-daemon-2.39.1-1.el9.x86_64.rpm git-daemon-debuginfo-2.39.1-1.el9.x86_64.rpm git-debuginfo-2.39.1-1.el9.x86_64.rpm git-debugsource-2.39.1-1.el9.x86_64.rpm git-subtree-2.39.1-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-24765 https://access.redhat.com/security/cve/CVE-2022-29187 https://access.redhat.com/security/cve/CVE-2022-39253 https://access.redhat.com/security/cve/CVE-2022-39260 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBZFo03tzjgjWX9erEAQhYSg//bKkon2hHN6jSsXXntqw9ViT5zo9r/KTD cV+t7GM4ipVK8j4EW8EnQKrJBWAzsEhqM2vh9MvM/PpTQ2I/JP53YbTed0qgxE3T SU07XMVbh1BA7OKyJ+eKfWJLBT03/VzzaepqQPwyHyFDAegJ/L9DlZOkHc9NJrfa R+N2Hde/TmUlnRl737ltWtQHE1QSTV1PQZuXb3AEWm6FDe7O62F0GpsuIWj1z8oo IIDLHRjp/mCqT6/A70NIRQvcwhLfRYYMOezKL80iGi7WwRokwEScDFE+gzB9FLrf pjNBFZkQVVxMVYOejArmPuLINaEdZJo/HAOiEtw9gOTzALyKFbWwOHDmSzz1hgbz kqFtZgwnpVZNs3UubXCgWeP4aU9xueZeyBHKNQKVERODtrKFt5jbpPrXu6qGyP9O 6GSgMbUDO5OMqOhTKQiMbKj5gO2DfOIO6vNP5eFwvSXPJG0ZlPIzAJD1cwZdtsVK wWBIMfjjc8zUh8OYm+CWg/lgpZLkQxe/wtFcC7Pw1u7nkN95npMXM3O75R8xe1zg xsa+wzjCmVRwrO2gLnT7/NUkY3saShCvBD+A82trnasbVlI/49oiojZY1PI3CZtz afQDlfLvgygNkV3e5CGe5p9PILwmFbrpALV43dEz6eY+MbeuoE6I7ON8tYtmx4Ds hOpSLJjOLjE=YQQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2022-11-01-1 Xcode 14.1
Xcode 14.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213496.
Git Available for: macOS Monterey 12.5 and later Impact: Multiple issues in git Description: Multiple issues were addressed by updating to git version 2.32.3. CVE-2022-29187: Carlo Marcelo Arenas Belón and Johannes Schindelin
Git Available for: macOS Monterey 12.5 and later Impact: Cloning a malicious repository may result in the disclosure of sensitive information Description: This issue was addressed with improved checks. CVE-2022-39253: Cory Snider of Mirantis
Git Available for: macOS Monterey 12.5 and later Impact: A remote user may cause an unexpected app termination or arbitrary code execution if git shell is allowed as a login shell Description: This issue was addressed with improved checks. CVE-2022-39260: Kevin Backhouse of the GitHub Security Lab
IDE Xcode Server Available for: macOS Monterey 12.5 and later Impact: An app may be able to gain root privileges Description: An injection issue was addressed with improved input validation. CVE-2022-42797: Tim Michaud (@TimGMichaud) of Moveworks.ai
Xcode 14.1 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 14.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
This update includes two changes of behavior that may affect certain setup: - It stops when directory traversal changes ownership from the current user while looking for a top-level git directory, a user could make an exception by using the new safe.directory configuration. - The default of protocol.file.allow has been changed from "always" to "user".
For the stable distribution (bullseye), these problems have been fixed in version 1:2.30.2-1+deb11u1.
We recommend that you upgrade your git packages.
Background
libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API.
Impact
Usages of a malicious crafted Git repository could allow the creator of the repository to elevate privileges to those of the user accessing the repository.
Workaround
Administrators can ensure that their usages of libgit2 only interact with repositories which have only been modified by trusted users. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-15
https://security.gentoo.org/
Severity: High Title: Git: Multiple Vulnerabilities Date: December 27, 2023 Bugs: #838127, #857831, #877565, #891221, #894472, #905088 ID: 202312-15
Synopsis
Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution.
Background
Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.
Affected packages
Package Vulnerable Unaffected
dev-vcs/git < 2.39.3 >= 2.39.3
Description
Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Git users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3"
References
[ 1 ] CVE-2022-23521 https://nvd.nist.gov/vuln/detail/CVE-2022-23521 [ 2 ] CVE-2022-24765 https://nvd.nist.gov/vuln/detail/CVE-2022-24765 [ 3 ] CVE-2022-29187 https://nvd.nist.gov/vuln/detail/CVE-2022-29187 [ 4 ] CVE-2022-39253 https://nvd.nist.gov/vuln/detail/CVE-2022-39253 [ 5 ] CVE-2022-39260 https://nvd.nist.gov/vuln/detail/CVE-2022-39260 [ 6 ] CVE-2022-41903 https://nvd.nist.gov/vuln/detail/CVE-2022-41903 [ 7 ] CVE-2023-22490 https://nvd.nist.gov/vuln/detail/CVE-2023-22490 [ 8 ] CVE-2023-23946 https://nvd.nist.gov/vuln/detail/CVE-2023-23946 [ 9 ] CVE-2023-25652 https://nvd.nist.gov/vuln/detail/CVE-2023-25652 [ 10 ] CVE-2023-25815 https://nvd.nist.gov/vuln/detail/CVE-2023-25815 [ 11 ] CVE-2023-29007 https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202312-15
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202207-0791", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.35.4" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.33.4" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.32.3" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.32.1" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.31.4" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.35.2" }, { "model": "xcode", "scope": "lt", "trust": 1.0, "vendor": "apple", "version": "14.1" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.37.0" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.34.4" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.33.2" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.36.2" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.30.3" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.36.0" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.31.2" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.30.5" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "35" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "10.0" }, { "model": "git", "scope": "gte", "trust": 1.0, "vendor": "git scm", "version": "2.34.2" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "36" }, { "model": "git", "scope": "lt", "trust": 1.0, "vendor": "git scm", "version": "2.37.1" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "37" }, { "model": "git", "scope": null, "trust": 0.8, "vendor": "git scm", "version": null }, { "model": "xcode", "scope": null, "trust": 0.8, "vendor": "\u30a2\u30c3\u30d7\u30eb", "version": null }, { "model": "gnu/linux", "scope": null, "trust": 0.8, "vendor": "debian", "version": null }, { "model": "fedora", "scope": null, "trust": 0.8, "vendor": "fedora", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "172366" }, { "db": "PACKETSTORM", "id": "172210" } ], "trust": 0.2 }, "cve": "CVE-2022-29187", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 3.4, "id": "CVE-2022-29187", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 3.4, "id": "VHN-420721", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:L/AC:M/AU:N/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "LOCAL", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.8, "id": "CVE-2022-29187", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Local", "author": "OTHER", "availabilityImpact": "High", "baseScore": 7.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "JVNDB-2022-015238", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2022-29187", "trust": 1.0, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2022-29187", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2022-29187", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-202207-1179", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-420721", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2022-29187", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-420721" }, { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "db": "NVD", "id": "CVE-2022-29187" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. Git contains an uncontrolled search path element vulnerability. This vulnerability is CVE-2022-24765 And related vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ==========================================================================\nUbuntu Security Notice USN-5511-1\nJuly 13, 2022\n\ngit vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n- Ubuntu 21.10\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nGit could be made to run arbitrary commands as an administrator\nif it received specially crafted inputs. An attacker could possibly use this issue to\nrun arbitrary commands as administrator. (CVE-2022-29187)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS:\n git 1:2.34.1-1ubuntu1.4\n\nUbuntu 21.10:\n git 1:2.32.0-1ubuntu1.3\n\nUbuntu 20.04 LTS:\n git 1:2.25.1-1ubuntu3.5\n\nUbuntu 18.04 LTS:\n git 1:2.17.1-1ubuntu0.12\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: git security and bug fix update\nAdvisory ID: RHSA-2023:2319-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2023:2319\nIssue date: 2023-05-09\nCVE Names: CVE-2022-24765 CVE-2022-29187 CVE-2022-39253\n CVE-2022-39260\n====================================================================\n1. Summary:\n\nAn update for git is now available for Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. As opposed to centralized version control systems with a\nclient-server model, Git ensures that each working copy of a Git repository\nis an exact copy with complete revision history. This not only allows the\nuser to work on and contribute to projects without the need to have\npermission to push the changes to their official repositories, but also\nmakes it possible for the user to work with no network connection. \n\nSecurity Fix(es):\n\n* git: On multi-user machines Git users might find themselves unexpectedly\nin a Git worktree (CVE-2022-24765)\n\n* git: Bypass of safe.directory protections (CVE-2022-29187)\n\n* git: exposure of sensitive information to a malicious actor\n(CVE-2022-39253)\n\n* git: git shell function that splits command arguments can lead to\narbitrary heap writes. (CVE-2022-39260)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 9.2 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2073414 - CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree\n2107439 - CVE-2022-29187 git: Bypass of safe.directory protections\n2137422 - CVE-2022-39253 git: exposure of sensitive information to a malicious actor\n2137423 - CVE-2022-39260 git: git shell function that splits command arguments can lead to arbitrary heap writes. \n2139379 - Rebase git to 2.39 version [rhel-9.2]\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 9):\n\nSource:\ngit-2.39.1-1.el9.src.rpm\n\naarch64:\ngit-2.39.1-1.el9.aarch64.rpm\ngit-core-2.39.1-1.el9.aarch64.rpm\ngit-core-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-credential-libsecret-2.39.1-1.el9.aarch64.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-daemon-2.39.1-1.el9.aarch64.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-debugsource-2.39.1-1.el9.aarch64.rpm\ngit-subtree-2.39.1-1.el9.aarch64.rpm\n\nnoarch:\ngit-all-2.39.1-1.el9.noarch.rpm\ngit-core-doc-2.39.1-1.el9.noarch.rpm\ngit-email-2.39.1-1.el9.noarch.rpm\ngit-gui-2.39.1-1.el9.noarch.rpm\ngit-instaweb-2.39.1-1.el9.noarch.rpm\ngit-svn-2.39.1-1.el9.noarch.rpm\ngitk-2.39.1-1.el9.noarch.rpm\ngitweb-2.39.1-1.el9.noarch.rpm\nperl-Git-2.39.1-1.el9.noarch.rpm\nperl-Git-SVN-2.39.1-1.el9.noarch.rpm\n\nppc64le:\ngit-2.39.1-1.el9.ppc64le.rpm\ngit-core-2.39.1-1.el9.ppc64le.rpm\ngit-core-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-credential-libsecret-2.39.1-1.el9.ppc64le.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-daemon-2.39.1-1.el9.ppc64le.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-debugsource-2.39.1-1.el9.ppc64le.rpm\ngit-subtree-2.39.1-1.el9.ppc64le.rpm\n\ns390x:\ngit-2.39.1-1.el9.s390x.rpm\ngit-core-2.39.1-1.el9.s390x.rpm\ngit-core-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-credential-libsecret-2.39.1-1.el9.s390x.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-daemon-2.39.1-1.el9.s390x.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-debugsource-2.39.1-1.el9.s390x.rpm\ngit-subtree-2.39.1-1.el9.s390x.rpm\n\nx86_64:\ngit-2.39.1-1.el9.x86_64.rpm\ngit-core-2.39.1-1.el9.x86_64.rpm\ngit-core-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-credential-libsecret-2.39.1-1.el9.x86_64.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-daemon-2.39.1-1.el9.x86_64.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-debugsource-2.39.1-1.el9.x86_64.rpm\ngit-subtree-2.39.1-1.el9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-24765\nhttps://access.redhat.com/security/cve/CVE-2022-29187\nhttps://access.redhat.com/security/cve/CVE-2022-39253\nhttps://access.redhat.com/security/cve/CVE-2022-39260\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZFo03tzjgjWX9erEAQhYSg//bKkon2hHN6jSsXXntqw9ViT5zo9r/KTD\ncV+t7GM4ipVK8j4EW8EnQKrJBWAzsEhqM2vh9MvM/PpTQ2I/JP53YbTed0qgxE3T\nSU07XMVbh1BA7OKyJ+eKfWJLBT03/VzzaepqQPwyHyFDAegJ/L9DlZOkHc9NJrfa\nR+N2Hde/TmUlnRl737ltWtQHE1QSTV1PQZuXb3AEWm6FDe7O62F0GpsuIWj1z8oo\nIIDLHRjp/mCqT6/A70NIRQvcwhLfRYYMOezKL80iGi7WwRokwEScDFE+gzB9FLrf\npjNBFZkQVVxMVYOejArmPuLINaEdZJo/HAOiEtw9gOTzALyKFbWwOHDmSzz1hgbz\nkqFtZgwnpVZNs3UubXCgWeP4aU9xueZeyBHKNQKVERODtrKFt5jbpPrXu6qGyP9O\n6GSgMbUDO5OMqOhTKQiMbKj5gO2DfOIO6vNP5eFwvSXPJG0ZlPIzAJD1cwZdtsVK\nwWBIMfjjc8zUh8OYm+CWg/lgpZLkQxe/wtFcC7Pw1u7nkN95npMXM3O75R8xe1zg\nxsa+wzjCmVRwrO2gLnT7/NUkY3saShCvBD+A82trnasbVlI/49oiojZY1PI3CZtz\nafQDlfLvgygNkV3e5CGe5p9PILwmFbrpALV43dEz6eY+MbeuoE6I7ON8tYtmx4Ds\nhOpSLJjOLjE=YQQZ\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-11-01-1 Xcode 14.1\n\nXcode 14.1 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213496. \n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: Multiple issues in git\nDescription: Multiple issues were addressed by updating to git\nversion 2.32.3. \nCVE-2022-29187: Carlo Marcelo Arenas Bel\u00f3n and Johannes Schindelin\n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: Cloning a malicious repository may result in the disclosure\nof sensitive information\nDescription: This issue was addressed with improved checks. \nCVE-2022-39253: Cory Snider of Mirantis\n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: A remote user may cause an unexpected app termination or\narbitrary code execution if git shell is allowed as a login shell\nDescription: This issue was addressed with improved checks. \nCVE-2022-39260: Kevin Backhouse of the GitHub Security Lab\n\nIDE Xcode Server\nAvailable for: macOS Monterey 12.5 and later\nImpact: An app may be able to gain root privileges\nDescription: An injection issue was addressed with improved input\nvalidation. \nCVE-2022-42797: Tim Michaud (@TimGMichaud) of Moveworks.ai\n\nXcode 14.1 may be obtained from:\nhttps://developer.apple.com/xcode/downloads/ To check that the Xcode\nhas been updated: * Select Xcode in the menu bar * Select About\nXcode * The version after applying this update will be \"Xcode 14.1\". \nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \nAn attacker may trigger remote code execution, cause local users into\nexecuting arbitrary commands, leak information from the local filesystem,\nand bypass restricted shell. \n\nThis update includes two changes of behavior that may affect certain setup:\n - It stops when directory traversal changes ownership from the current\n user while looking for a top-level git directory, a user could make an\n exception by using the new safe.directory configuration. \n - The default of protocol.file.allow has been changed from \"always\" to\n \"user\". \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:2.30.2-1+deb11u1. \n\nWe recommend that you upgrade your git packages. \n\nBackground\n=========\nlibgit2 is a portable, pure C implementation of the Git core methods\nprovided as a re-entrant linkable library with a solid API. \n\nImpact\n=====\nUsages of a malicious crafted Git repository could allow the creator of\nthe repository to elevate privileges to those of the user accessing the\nrepository. \n\nWorkaround\n=========\nAdministrators can ensure that their usages of libgit2 only interact\nwith repositories which have only been modified by trusted users. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202312-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Git: Multiple Vulnerabilities\n Date: December 27, 2023\n Bugs: #838127, #857831, #877565, #891221, #894472, #905088\n ID: 202312-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nSeveral vulnerabilities have been found in Git, the worst of which could\nlead to remote code execution. \n\nBackground\n==========\n\nGit is a free and open source distributed version control system\ndesigned to handle everything from small to very large projects with\nspeed and efficiency. \n\nAffected packages\n=================\n\nPackage Vulnerable Unaffected\n----------- ------------ ------------\ndev-vcs/git \u003c 2.39.3 \u003e= 2.39.3\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Git. Please review the\nCVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Git users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-vcs/git-2.39.3\"\n\nReferences\n==========\n\n[ 1 ] CVE-2022-23521\n https://nvd.nist.gov/vuln/detail/CVE-2022-23521\n[ 2 ] CVE-2022-24765\n https://nvd.nist.gov/vuln/detail/CVE-2022-24765\n[ 3 ] CVE-2022-29187\n https://nvd.nist.gov/vuln/detail/CVE-2022-29187\n[ 4 ] CVE-2022-39253\n https://nvd.nist.gov/vuln/detail/CVE-2022-39253\n[ 5 ] CVE-2022-39260\n https://nvd.nist.gov/vuln/detail/CVE-2022-39260\n[ 6 ] CVE-2022-41903\n https://nvd.nist.gov/vuln/detail/CVE-2022-41903\n[ 7 ] CVE-2023-22490\n https://nvd.nist.gov/vuln/detail/CVE-2023-22490\n[ 8 ] CVE-2023-23946\n https://nvd.nist.gov/vuln/detail/CVE-2023-23946\n[ 9 ] CVE-2023-25652\n https://nvd.nist.gov/vuln/detail/CVE-2023-25652\n[ 10 ] CVE-2023-25815\n https://nvd.nist.gov/vuln/detail/CVE-2023-25815\n[ 11 ] CVE-2023-29007\n https://nvd.nist.gov/vuln/detail/CVE-2023-29007\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202312-15\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2023 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n", "sources": [ { "db": "NVD", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "VULHUB", "id": "VHN-420721" }, { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "PACKETSTORM", "id": "167744" }, { "db": "PACKETSTORM", "id": "172366" }, { "db": "PACKETSTORM", "id": "172210" }, { "db": "PACKETSTORM", "id": "169735" }, { "db": "PACKETSTORM", "id": "170787" }, { "db": "PACKETSTORM", "id": "176551" }, { "db": "PACKETSTORM", "id": "176313" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-29187", "trust": 4.1 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2022/07/14/1", "trust": 2.6 }, { "db": "ICS CERT", "id": "ICSA-24-046-11", "trust": 0.9 }, { "db": "PACKETSTORM", "id": "167744", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "169735", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "170787", "trust": 0.8 }, { "db": "JVN", "id": "JVNVU91198149", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2022-015238", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2022072538", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022071416", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022071350", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072638", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.3430", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.4630", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.3674", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.5479", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202207-1179", "trust": 0.6 }, { "db": "VULHUB", "id": "VHN-420721", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2022-29187", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "172366", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "172210", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "176551", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "176313", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-420721" }, { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "PACKETSTORM", "id": "167744" }, { "db": "PACKETSTORM", "id": "172366" }, { "db": "PACKETSTORM", "id": "172210" }, { "db": "PACKETSTORM", "id": "169735" }, { "db": "PACKETSTORM", "id": "170787" }, { "db": "PACKETSTORM", "id": "176551" }, { "db": "PACKETSTORM", "id": "176313" }, { "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "id": "VAR-202207-0791", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-420721" } ], "trust": 0.01 }, "last_update_date": "2024-08-14T12:14:02.795000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "HT213496 Apple\u00a0 Security update", "trust": 0.8, "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html" }, { "title": "Github Git Fixes for code issue vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=216957" }, { "title": "Ubuntu Security Notice: USN-5511-1: Git vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-5511-1" }, { "title": "Amazon Linux AMI: ALAS-2022-1623", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2022-1623" }, { "title": "Debian CVElist Bug Report Logs: git: CVE-2022-29187", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=31324a5ad54489fd6559d515d47be3cb" }, { "title": "Red Hat: Moderate: git security and bug fix update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20232319 - Security Advisory" }, { "title": "Red Hat: Moderate: git security and bug fix update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20232859 - Security Advisory" }, { "title": "Amazon Linux 2: ALAS2-2022-1820", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2022-1820" }, { "title": "Red Hat: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2022-29187" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2022-29187" }, { "title": "Amazon Linux 2022: ALAS2022-2022-118", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS2022-2022-118" }, { "title": "Amazon Linux 2022: ALAS-2022-236", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS-2022-236" }, { "title": "https://github.com/9069332997/session-1-full-stack", "trust": 0.1, "url": "https://github.com/9069332997/session-1-full-stack " } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "CNNVD", "id": "CNNVD-202207-1179" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-282", "trust": 1.1 }, { "problemtype": "CWE-427", "trust": 1.1 }, { "problemtype": "Uncontrolled search path elements (CWE-427) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "VULHUB", "id": "VHN-420721" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.6, "url": "http://www.openwall.com/lists/oss-security/2022/07/14/1" }, { "trust": 1.8, "url": "https://support.apple.com/kb/ht213496" }, { "trust": 1.8, "url": "https://github.com/git/git/security/advisories/ghsa-j342-m5hw-rr3v" }, { "trust": 1.8, "url": "http://seclists.org/fulldisclosure/2022/nov/1" }, { "trust": 1.8, "url": "https://github.blog/2022-04-12-git-security-vulnerability-announced" }, { "trust": 1.8, "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html" }, { "trust": 1.5, "url": "https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/t/#u" }, { "trust": 1.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-29187" }, { "trust": 1.2, "url": "https://security.gentoo.org/glsa/202312-15" }, { "trust": 1.2, "url": "https://security.gentoo.org/glsa/202401-17" }, { "trust": 1.1, "url": "https://lore.kernel.org/git/xmqqv8s2fefi.fsf%40gitster.g/t/#u" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/trzg5cduq27owtpc5mqor4uasnxhwezs/" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ddi325loo2xbddklinoaqjeg6mhaurze/" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/dikwiswudft2faityia6372bvlh3oooc/" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/yrocmbwyfkrss64po6funm6l7lkbukvw/" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/hvoler2pigmhpqmdgg4rde2kzb74qla2/" }, { "trust": 1.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/udzrzal7qulob6v7mkt66momwjlbjpx4/" }, { "trust": 0.9, "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11" }, { "trust": 0.8, "url": "https://jvn.jp/vu/jvnvu91198149/index.html" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ddi325loo2xbddklinoaqjeg6mhaurze/" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/trzg5cduq27owtpc5mqor4uasnxhwezs/" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/hvoler2pigmhpqmdgg4rde2kzb74qla2/" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/udzrzal7qulob6v7mkt66momwjlbjpx4/" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/dikwiswudft2faityia6372bvlh3oooc/" }, { "trust": 0.7, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/yrocmbwyfkrss64po6funm6l7lkbukvw/" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022071350" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/169735/apple-security-advisory-2022-11-01-1.html" }, { "trust": 0.6, "url": "https://support.apple.com/en-us/ht213496" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-29187/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.3430" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072638" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/git-code-execution-via-safe-directory-bypass-38786" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.3674" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.4630" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.5479" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/170787/debian-security-advisory-5332-1.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/167744/ubuntu-security-notice-usn-5511-1.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072538" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022071416" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24765" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39260" }, { "trust": 0.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39253" }, { "trust": 0.2, "url": "https://ubuntu.com/security/notices/usn-5511-1" }, { "trust": 0.2, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-39260" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-24765" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-39253" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-29187" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41903" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23521" }, { "trust": 0.2, "url": "https://bugs.gentoo.org." }, { "trust": 0.2, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.2, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/427.html" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/282.html" }, { "trust": 0.1, "url": "https://alas.aws.amazon.com/alas-2022-1623.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.5" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.4" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.12" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/git/1:2.32.0-1ubuntu1.3" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2023:2859" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2023:2319" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42797" }, { "trust": 0.1, "url": "https://developer.apple.com/xcode/downloads/" }, { "trust": 0.1, "url": "https://support.apple.com/en-us/ht201222." }, { "trust": 0.1, "url": "https://www.apple.com/support/security/pgp/" }, { "trust": 0.1, "url": "https://support.apple.com/ht213496." }, { "trust": 0.1, "url": "https://www.debian.org/security/" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/git" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-29007" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25815" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-23946" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25652" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-22490" } ], "sources": [ { "db": "VULHUB", "id": "VHN-420721" }, { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "PACKETSTORM", "id": "167744" }, { "db": "PACKETSTORM", "id": "172366" }, { "db": "PACKETSTORM", "id": "172210" }, { "db": "PACKETSTORM", "id": "169735" }, { "db": "PACKETSTORM", "id": "170787" }, { "db": "PACKETSTORM", "id": "176551" }, { "db": "PACKETSTORM", "id": "176313" }, { "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-420721" }, { "db": "VULMON", "id": "CVE-2022-29187" }, { "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "db": "PACKETSTORM", "id": "167744" }, { "db": "PACKETSTORM", "id": "172366" }, { "db": "PACKETSTORM", "id": "172210" }, { "db": "PACKETSTORM", "id": "169735" }, { "db": "PACKETSTORM", "id": "170787" }, { "db": "PACKETSTORM", "id": "176551" }, { "db": "PACKETSTORM", "id": "176313" }, { "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "db": "NVD", "id": "CVE-2022-29187" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-07-12T00:00:00", "db": "VULHUB", "id": "VHN-420721" }, { "date": "2022-07-12T00:00:00", "db": "VULMON", "id": "CVE-2022-29187" }, { "date": "2023-09-26T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "date": "2022-07-14T14:29:12", "db": "PACKETSTORM", "id": "167744" }, { "date": "2023-05-16T17:08:14", "db": "PACKETSTORM", "id": "172366" }, { "date": "2023-05-09T15:18:13", "db": "PACKETSTORM", "id": "172210" }, { "date": "2022-11-08T13:42:03", "db": "PACKETSTORM", "id": "169735" }, { "date": "2023-01-30T16:35:13", "db": "PACKETSTORM", "id": "170787" }, { "date": "2024-01-15T13:55:20", "db": "PACKETSTORM", "id": "176551" }, { "date": "2023-12-27T14:55:24", "db": "PACKETSTORM", "id": "176313" }, { "date": "2022-07-12T00:00:00", "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "date": "2022-07-12T21:15:09.560000", "db": "NVD", "id": "CVE-2022-29187" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-01-31T00:00:00", "db": "VULHUB", "id": "VHN-420721" }, { "date": "2024-01-14T00:00:00", "db": "VULMON", "id": "CVE-2022-29187" }, { "date": "2024-02-19T06:55:00", "db": "JVNDB", "id": "JVNDB-2022-015238" }, { "date": "2023-02-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202207-1179" }, { "date": "2024-01-14T10:15:08.090000", "db": "NVD", "id": "CVE-2022-29187" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "local", "sources": [ { "db": "CNNVD", "id": "CNNVD-202207-1179" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Git\u00a0 Vulnerability regarding uncontrolled search path elements in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-015238" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code problem", "sources": [ { "db": "CNNVD", "id": "CNNVD-202207-1179" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.