var-202210-1202
Vulnerability from variot

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's $GIT_DIR/objects directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules option. Git does not create symbolic links in the $GIT_DIR/objects directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the --local optimization when on a shared machine, either by passing the --no-local option to git clone or cloning from a URL that uses the file:// scheme. Alternatively, avoid cloning repositories from untrusted sources with --recurse-submodules or run git config --global protocol.file.allow user. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

This update includes two changes of behavior that may affect certain setup: - It stops when directory traversal changes ownership from the current user while looking for a top-level git directory, a user could make an exception by using the new safe.directory configuration. - The default of protocol.file.allow has been changed from "always" to "user".

For the stable distribution (bullseye), these problems have been fixed in version 1:2.30.2-1+deb11u1.

We recommend that you upgrade your git packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-15


                                       https://security.gentoo.org/

Severity: High Title: Git: Multiple Vulnerabilities Date: December 27, 2023 Bugs: #838127, #857831, #877565, #891221, #894472, #905088 ID: 202312-15


Synopsis

Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution.

Affected packages

Package Vulnerable Unaffected


dev-vcs/git < 2.39.3 >= 2.39.3

Description

Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All Git users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3"

References

[ 1 ] CVE-2022-23521 https://nvd.nist.gov/vuln/detail/CVE-2022-23521 [ 2 ] CVE-2022-24765 https://nvd.nist.gov/vuln/detail/CVE-2022-24765 [ 3 ] CVE-2022-29187 https://nvd.nist.gov/vuln/detail/CVE-2022-29187 [ 4 ] CVE-2022-39253 https://nvd.nist.gov/vuln/detail/CVE-2022-39253 [ 5 ] CVE-2022-39260 https://nvd.nist.gov/vuln/detail/CVE-2022-39260 [ 6 ] CVE-2022-41903 https://nvd.nist.gov/vuln/detail/CVE-2022-41903 [ 7 ] CVE-2023-22490 https://nvd.nist.gov/vuln/detail/CVE-2023-22490 [ 8 ] CVE-2023-23946 https://nvd.nist.gov/vuln/detail/CVE-2023-23946 [ 9 ] CVE-2023-25652 https://nvd.nist.gov/vuln/detail/CVE-2023-25652 [ 10 ] CVE-2023-25815 https://nvd.nist.gov/vuln/detail/CVE-2023-25815 [ 11 ] CVE-2023-29007 https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/202312-15

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

APPLE-SA-2022-11-01-1 Xcode 14.1

Xcode 14.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213496.

Git Available for: macOS Monterey 12.5 and later Impact: Multiple issues in git Description: Multiple issues were addressed by updating to git version 2.32.3. CVE-2022-29187: Carlo Marcelo Arenas Belón and Johannes Schindelin

Git Available for: macOS Monterey 12.5 and later Impact: Cloning a malicious repository may result in the disclosure of sensitive information Description: This issue was addressed with improved checks. CVE-2022-39253: Cory Snider of Mirantis

Git Available for: macOS Monterey 12.5 and later Impact: A remote user may cause an unexpected app termination or arbitrary code execution if git shell is allowed as a login shell Description: This issue was addressed with improved checks. CVE-2022-39260: Kevin Backhouse of the GitHub Security Lab

IDE Xcode Server Available for: macOS Monterey 12.5 and later Impact: An app may be able to gain root privileges Description: An injection issue was addressed with improved input validation. CVE-2022-42797: Tim Michaud (@TimGMichaud) of Moveworks.ai

Xcode 14.1 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "Xcode 14.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/

All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. ========================================================================== Ubuntu Security Notice USN-5686-3 November 21, 2022

git vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.10

Summary:

Several security issues were fixed in Git. This update provides the corresponding updates for Ubuntu 22.10.

Original advisory details:

Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour. (CVE-2022-39253)

Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution. (CVE-2022-39260)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10: git 1:2.37.2-1ubuntu1.1

In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: git security and bug fix update Advisory ID: RHSA-2023:2319-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2319 Issue date: 2023-05-09 CVE Names: CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 ==================================================================== 1. Summary:

An update for git is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

  1. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

  • git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree (CVE-2022-24765)

  • git: Bypass of safe.directory protections (CVE-2022-29187)

  • git: exposure of sensitive information to a malicious actor (CVE-2022-39253)

  • git: git shell function that splits command arguments can lead to arbitrary heap writes. (CVE-2022-39260)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

  1. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2073414 - CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree 2107439 - CVE-2022-29187 git: Bypass of safe.directory protections 2137422 - CVE-2022-39253 git: exposure of sensitive information to a malicious actor 2137423 - CVE-2022-39260 git: git shell function that splits command arguments can lead to arbitrary heap writes. 2139379 - Rebase git to 2.39 version [rhel-9.2]

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source: git-2.39.1-1.el9.src.rpm

aarch64: git-2.39.1-1.el9.aarch64.rpm git-core-2.39.1-1.el9.aarch64.rpm git-core-debuginfo-2.39.1-1.el9.aarch64.rpm git-credential-libsecret-2.39.1-1.el9.aarch64.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.aarch64.rpm git-daemon-2.39.1-1.el9.aarch64.rpm git-daemon-debuginfo-2.39.1-1.el9.aarch64.rpm git-debuginfo-2.39.1-1.el9.aarch64.rpm git-debugsource-2.39.1-1.el9.aarch64.rpm git-subtree-2.39.1-1.el9.aarch64.rpm

noarch: git-all-2.39.1-1.el9.noarch.rpm git-core-doc-2.39.1-1.el9.noarch.rpm git-email-2.39.1-1.el9.noarch.rpm git-gui-2.39.1-1.el9.noarch.rpm git-instaweb-2.39.1-1.el9.noarch.rpm git-svn-2.39.1-1.el9.noarch.rpm gitk-2.39.1-1.el9.noarch.rpm gitweb-2.39.1-1.el9.noarch.rpm perl-Git-2.39.1-1.el9.noarch.rpm perl-Git-SVN-2.39.1-1.el9.noarch.rpm

ppc64le: git-2.39.1-1.el9.ppc64le.rpm git-core-2.39.1-1.el9.ppc64le.rpm git-core-debuginfo-2.39.1-1.el9.ppc64le.rpm git-credential-libsecret-2.39.1-1.el9.ppc64le.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.ppc64le.rpm git-daemon-2.39.1-1.el9.ppc64le.rpm git-daemon-debuginfo-2.39.1-1.el9.ppc64le.rpm git-debuginfo-2.39.1-1.el9.ppc64le.rpm git-debugsource-2.39.1-1.el9.ppc64le.rpm git-subtree-2.39.1-1.el9.ppc64le.rpm

s390x: git-2.39.1-1.el9.s390x.rpm git-core-2.39.1-1.el9.s390x.rpm git-core-debuginfo-2.39.1-1.el9.s390x.rpm git-credential-libsecret-2.39.1-1.el9.s390x.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.s390x.rpm git-daemon-2.39.1-1.el9.s390x.rpm git-daemon-debuginfo-2.39.1-1.el9.s390x.rpm git-debuginfo-2.39.1-1.el9.s390x.rpm git-debugsource-2.39.1-1.el9.s390x.rpm git-subtree-2.39.1-1.el9.s390x.rpm

x86_64: git-2.39.1-1.el9.x86_64.rpm git-core-2.39.1-1.el9.x86_64.rpm git-core-debuginfo-2.39.1-1.el9.x86_64.rpm git-credential-libsecret-2.39.1-1.el9.x86_64.rpm git-credential-libsecret-debuginfo-2.39.1-1.el9.x86_64.rpm git-daemon-2.39.1-1.el9.x86_64.rpm git-daemon-debuginfo-2.39.1-1.el9.x86_64.rpm git-debuginfo-2.39.1-1.el9.x86_64.rpm git-debugsource-2.39.1-1.el9.x86_64.rpm git-subtree-2.39.1-1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-24765 https://access.redhat.com/security/cve/CVE-2022-29187 https://access.redhat.com/security/cve/CVE-2022-39253 https://access.redhat.com/security/cve/CVE-2022-39260 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIVAwUBZFo03tzjgjWX9erEAQhYSg//bKkon2hHN6jSsXXntqw9ViT5zo9r/KTD cV+t7GM4ipVK8j4EW8EnQKrJBWAzsEhqM2vh9MvM/PpTQ2I/JP53YbTed0qgxE3T SU07XMVbh1BA7OKyJ+eKfWJLBT03/VzzaepqQPwyHyFDAegJ/L9DlZOkHc9NJrfa R+N2Hde/TmUlnRl737ltWtQHE1QSTV1PQZuXb3AEWm6FDe7O62F0GpsuIWj1z8oo IIDLHRjp/mCqT6/A70NIRQvcwhLfRYYMOezKL80iGi7WwRokwEScDFE+gzB9FLrf pjNBFZkQVVxMVYOejArmPuLINaEdZJo/HAOiEtw9gOTzALyKFbWwOHDmSzz1hgbz kqFtZgwnpVZNs3UubXCgWeP4aU9xueZeyBHKNQKVERODtrKFt5jbpPrXu6qGyP9O 6GSgMbUDO5OMqOhTKQiMbKj5gO2DfOIO6vNP5eFwvSXPJG0ZlPIzAJD1cwZdtsVK wWBIMfjjc8zUh8OYm+CWg/lgpZLkQxe/wtFcC7Pw1u7nkN95npMXM3O75R8xe1zg xsa+wzjCmVRwrO2gLnT7/NUkY3saShCvBD+A82trnasbVlI/49oiojZY1PI3CZtz afQDlfLvgygNkV3e5CGe5p9PILwmFbrpALV43dEz6eY+MbeuoE6I7ON8tYtmx4Ds hOpSLJjOLjE=YQQZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202210-1202",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.32.0"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.30.6"
      },
      {
        "model": "git",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.38.0"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "37"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.35.5"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.36.0"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "36"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.33.5"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.31.0"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.37.4"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.33.0"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "35"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.32.4"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.35.0"
      },
      {
        "model": "xcode",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apple",
        "version": "14.1"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.34.0"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.34.5"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.31.5"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "10.0"
      },
      {
        "model": "git",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.36.3"
      },
      {
        "model": "git",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "git scm",
        "version": "2.37.0"
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Ubuntu",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "db": "PACKETSTORM",
        "id": "171570"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2022-39253",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "id": "CVE-2022-39253",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2022-39253",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "security-advisories@github.com",
            "id": "CVE-2022-39253",
            "trust": 1.0,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source\u0027s `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim\u0027s machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. \nAn attacker may trigger remote code execution, cause local users into\nexecuting arbitrary commands, leak information from the local filesystem,\nand bypass restricted shell. \n\nThis update includes two changes of behavior that may affect certain setup:\n  - It stops when directory traversal changes ownership from the current\n    user while looking for a top-level git directory, a user could make an\n    exception by using the new safe.directory configuration. \n  - The default of protocol.file.allow has been changed from \"always\" to\n    \"user\". \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:2.30.2-1+deb11u1. \n\nWe recommend that you upgrade your git packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 202312-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n    Title: Git: Multiple Vulnerabilities\n     Date: December 27, 2023\n     Bugs: #838127, #857831, #877565, #891221, #894472, #905088\n       ID: 202312-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nSeveral vulnerabilities have been found in Git, the worst of which could\nlead to remote code execution. \n\nAffected packages\n=================\n\nPackage      Vulnerable    Unaffected\n-----------  ------------  ------------\ndev-vcs/git  \u003c 2.39.3      \u003e= 2.39.3\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Git. Please review the\nCVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Git users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=dev-vcs/git-2.39.3\"\n\nReferences\n==========\n\n[ 1 ] CVE-2022-23521\n      https://nvd.nist.gov/vuln/detail/CVE-2022-23521\n[ 2 ] CVE-2022-24765\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24765\n[ 3 ] CVE-2022-29187\n      https://nvd.nist.gov/vuln/detail/CVE-2022-29187\n[ 4 ] CVE-2022-39253\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39253\n[ 5 ] CVE-2022-39260\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39260\n[ 6 ] CVE-2022-41903\n      https://nvd.nist.gov/vuln/detail/CVE-2022-41903\n[ 7 ] CVE-2023-22490\n      https://nvd.nist.gov/vuln/detail/CVE-2023-22490\n[ 8 ] CVE-2023-23946\n      https://nvd.nist.gov/vuln/detail/CVE-2023-23946\n[ 9 ] CVE-2023-25652\n      https://nvd.nist.gov/vuln/detail/CVE-2023-25652\n[ 10 ] CVE-2023-25815\n      https://nvd.nist.gov/vuln/detail/CVE-2023-25815\n[ 11 ] CVE-2023-29007\n      https://nvd.nist.gov/vuln/detail/CVE-2023-29007\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202312-15\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2023 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-11-01-1 Xcode 14.1\n\nXcode 14.1 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213496. \n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: Multiple issues in git\nDescription: Multiple issues were addressed by updating to git\nversion 2.32.3. \nCVE-2022-29187: Carlo Marcelo Arenas Bel\u00f3n and Johannes Schindelin\n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: Cloning a malicious repository may result in the disclosure\nof sensitive information\nDescription: This issue was addressed with improved checks. \nCVE-2022-39253: Cory Snider of Mirantis\n\nGit\nAvailable for: macOS Monterey 12.5 and later\nImpact: A remote user may cause an unexpected app termination or\narbitrary code execution if git shell is allowed as a login shell\nDescription: This issue was addressed with improved checks. \nCVE-2022-39260: Kevin Backhouse of the GitHub Security Lab\n\nIDE Xcode Server\nAvailable for: macOS Monterey 12.5 and later\nImpact: An app may be able to gain root privileges\nDescription: An injection issue was addressed with improved input\nvalidation. \nCVE-2022-42797: Tim Michaud (@TimGMichaud) of Moveworks.ai\n\nXcode 14.1 may be obtained from:\nhttps://developer.apple.com/xcode/downloads/  To check that the Xcode\nhas been updated:  * Select Xcode in the menu bar * Select About\nXcode * The version after applying this update will be \"Xcode 14.1\". \nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. \n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222. ==========================================================================\nUbuntu Security Notice USN-5686-3\nNovember 21, 2022\n\ngit vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.10\n\nSummary:\n\nSeveral security issues were fixed in Git. This update provides the corresponding\nupdates for Ubuntu 22.10. \n\nOriginal advisory details:\n\n Cory Snider discovered that Git incorrectly handled certain symbolic links. \n An attacker could possibly use this issue to cause an unexpected behaviour. \n (CVE-2022-39253)\n\n Kevin Backhouse discovered that Git incorrectly handled certain command strings. \n An attacker could possibly use this issue to arbitrary code execution. \n (CVE-2022-39260)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.10:\n  git                             1:2.37.2-1ubuntu1.1\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n====================================================================                   \nRed Hat Security Advisory\n\nSynopsis:          Moderate: git security and bug fix update\nAdvisory ID:       RHSA-2023:2319-01\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2023:2319\nIssue date:        2023-05-09\nCVE Names:         CVE-2022-24765 CVE-2022-29187 CVE-2022-39253\n                   CVE-2022-39260\n====================================================================\n1. Summary:\n\nAn update for git is now available for Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. As opposed to centralized version control systems with a\nclient-server model, Git ensures that each working copy of a Git repository\nis an exact copy with complete revision history. This not only allows the\nuser to work on and contribute to projects without the need to have\npermission to push the changes to their official repositories, but also\nmakes it possible for the user to work with no network connection. \n\nSecurity Fix(es):\n\n* git: On multi-user machines Git users might find themselves unexpectedly\nin a Git worktree (CVE-2022-24765)\n\n* git: Bypass of safe.directory protections (CVE-2022-29187)\n\n* git: exposure of sensitive information to a malicious actor\n(CVE-2022-39253)\n\n* git: git shell function that splits command arguments can lead to\narbitrary heap writes. (CVE-2022-39260)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 9.2 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2073414 - CVE-2022-24765 git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree\n2107439 - CVE-2022-29187 git: Bypass of safe.directory protections\n2137422 - CVE-2022-39253 git: exposure of sensitive information to a malicious actor\n2137423 - CVE-2022-39260 git: git shell function that splits command arguments can lead to arbitrary heap writes. \n2139379 - Rebase git to 2.39 version [rhel-9.2]\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 9):\n\nSource:\ngit-2.39.1-1.el9.src.rpm\n\naarch64:\ngit-2.39.1-1.el9.aarch64.rpm\ngit-core-2.39.1-1.el9.aarch64.rpm\ngit-core-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-credential-libsecret-2.39.1-1.el9.aarch64.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-daemon-2.39.1-1.el9.aarch64.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-debuginfo-2.39.1-1.el9.aarch64.rpm\ngit-debugsource-2.39.1-1.el9.aarch64.rpm\ngit-subtree-2.39.1-1.el9.aarch64.rpm\n\nnoarch:\ngit-all-2.39.1-1.el9.noarch.rpm\ngit-core-doc-2.39.1-1.el9.noarch.rpm\ngit-email-2.39.1-1.el9.noarch.rpm\ngit-gui-2.39.1-1.el9.noarch.rpm\ngit-instaweb-2.39.1-1.el9.noarch.rpm\ngit-svn-2.39.1-1.el9.noarch.rpm\ngitk-2.39.1-1.el9.noarch.rpm\ngitweb-2.39.1-1.el9.noarch.rpm\nperl-Git-2.39.1-1.el9.noarch.rpm\nperl-Git-SVN-2.39.1-1.el9.noarch.rpm\n\nppc64le:\ngit-2.39.1-1.el9.ppc64le.rpm\ngit-core-2.39.1-1.el9.ppc64le.rpm\ngit-core-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-credential-libsecret-2.39.1-1.el9.ppc64le.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-daemon-2.39.1-1.el9.ppc64le.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-debuginfo-2.39.1-1.el9.ppc64le.rpm\ngit-debugsource-2.39.1-1.el9.ppc64le.rpm\ngit-subtree-2.39.1-1.el9.ppc64le.rpm\n\ns390x:\ngit-2.39.1-1.el9.s390x.rpm\ngit-core-2.39.1-1.el9.s390x.rpm\ngit-core-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-credential-libsecret-2.39.1-1.el9.s390x.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-daemon-2.39.1-1.el9.s390x.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-debuginfo-2.39.1-1.el9.s390x.rpm\ngit-debugsource-2.39.1-1.el9.s390x.rpm\ngit-subtree-2.39.1-1.el9.s390x.rpm\n\nx86_64:\ngit-2.39.1-1.el9.x86_64.rpm\ngit-core-2.39.1-1.el9.x86_64.rpm\ngit-core-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-credential-libsecret-2.39.1-1.el9.x86_64.rpm\ngit-credential-libsecret-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-daemon-2.39.1-1.el9.x86_64.rpm\ngit-daemon-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-debuginfo-2.39.1-1.el9.x86_64.rpm\ngit-debugsource-2.39.1-1.el9.x86_64.rpm\ngit-subtree-2.39.1-1.el9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-24765\nhttps://access.redhat.com/security/cve/CVE-2022-29187\nhttps://access.redhat.com/security/cve/CVE-2022-39253\nhttps://access.redhat.com/security/cve/CVE-2022-39260\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2023 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBZFo03tzjgjWX9erEAQhYSg//bKkon2hHN6jSsXXntqw9ViT5zo9r/KTD\ncV+t7GM4ipVK8j4EW8EnQKrJBWAzsEhqM2vh9MvM/PpTQ2I/JP53YbTed0qgxE3T\nSU07XMVbh1BA7OKyJ+eKfWJLBT03/VzzaepqQPwyHyFDAegJ/L9DlZOkHc9NJrfa\nR+N2Hde/TmUlnRl737ltWtQHE1QSTV1PQZuXb3AEWm6FDe7O62F0GpsuIWj1z8oo\nIIDLHRjp/mCqT6/A70NIRQvcwhLfRYYMOezKL80iGi7WwRokwEScDFE+gzB9FLrf\npjNBFZkQVVxMVYOejArmPuLINaEdZJo/HAOiEtw9gOTzALyKFbWwOHDmSzz1hgbz\nkqFtZgwnpVZNs3UubXCgWeP4aU9xueZeyBHKNQKVERODtrKFt5jbpPrXu6qGyP9O\n6GSgMbUDO5OMqOhTKQiMbKj5gO2DfOIO6vNP5eFwvSXPJG0ZlPIzAJD1cwZdtsVK\nwWBIMfjjc8zUh8OYm+CWg/lgpZLkQxe/wtFcC7Pw1u7nkN95npMXM3O75R8xe1zg\nxsa+wzjCmVRwrO2gLnT7/NUkY3saShCvBD+A82trnasbVlI/49oiojZY1PI3CZtz\nafQDlfLvgygNkV3e5CGe5p9PILwmFbrpALV43dEz6eY+MbeuoE6I7ON8tYtmx4Ds\nhOpSLJjOLjE=YQQZ\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      },
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "170787"
      },
      {
        "db": "PACKETSTORM",
        "id": "176313"
      },
      {
        "db": "PACKETSTORM",
        "id": "169735"
      },
      {
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "db": "PACKETSTORM",
        "id": "172366"
      },
      {
        "db": "PACKETSTORM",
        "id": "172210"
      },
      {
        "db": "PACKETSTORM",
        "id": "171570"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-39253",
        "trust": 1.9
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2023/02/14/5",
        "trust": 1.1
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2024/05/14/2",
        "trust": 1.0
      },
      {
        "db": "PACKETSTORM",
        "id": "169416",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "170787",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-435022",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "176313",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "169735",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "169954",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "172366",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "172210",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "171570",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "170787"
      },
      {
        "db": "PACKETSTORM",
        "id": "176313"
      },
      {
        "db": "PACKETSTORM",
        "id": "169735"
      },
      {
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "db": "PACKETSTORM",
        "id": "172366"
      },
      {
        "db": "PACKETSTORM",
        "id": "172210"
      },
      {
        "db": "PACKETSTORM",
        "id": "171570"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "id": "VAR-202210-1202",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-29T20:23:50.336000Z",
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-59",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-200",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.1,
        "url": "https://support.apple.com/kb/ht213496"
      },
      {
        "trust": 1.1,
        "url": "https://github.com/git/git/security/advisories/ghsa-3wp6-j8xr-qw85"
      },
      {
        "trust": 1.1,
        "url": "http://seclists.org/fulldisclosure/2022/nov/1"
      },
      {
        "trust": 1.1,
        "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"
      },
      {
        "trust": 1.1,
        "url": "http://www.openwall.com/lists/oss-security/2023/02/14/5"
      },
      {
        "trust": 1.1,
        "url": "https://security.gentoo.org/glsa/202312-15"
      },
      {
        "trust": 1.0,
        "url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"
      },
      {
        "trust": 1.0,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/c7b6jpkx5cgglahxjvqmiznneeb72fhd/"
      },
      {
        "trust": 1.0,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/jmqwgmdlx6ktvww5jzlvpi7icak72tn7/"
      },
      {
        "trust": 1.0,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ohno2fb55cpx47baxmbwubgwho6n6zzh/"
      },
      {
        "trust": 1.0,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ukfhe4kvd7eks5j3ktdfvbeku3clxgvv/"
      },
      {
        "trust": 1.0,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/vfyxctlosesyip72buyd6ecdimum4wmb/"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39253"
      },
      {
        "trust": 0.7,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39260"
      },
      {
        "trust": 0.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-29187"
      },
      {
        "trust": 0.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24765"
      },
      {
        "trust": 0.3,
        "url": "https://ubuntu.com/security/notices/usn-5686-1"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41903"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23521"
      },
      {
        "trust": 0.2,
        "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-39260"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-24765"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/articles/11258"
      },
      {
        "trust": 0.2,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-39253"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-29187"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/team/key/"
      },
      {
        "trust": 0.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/vfyxctlosesyip72buyd6ecdimum4wmb/"
      },
      {
        "trust": 0.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/jmqwgmdlx6ktvww5jzlvpi7icak72tn7/"
      },
      {
        "trust": 0.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ohno2fb55cpx47baxmbwubgwho6n6zzh/"
      },
      {
        "trust": 0.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ukfhe4kvd7eks5j3ktdfvbeku3clxgvv/"
      },
      {
        "trust": 0.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/c7b6jpkx5cgglahxjvqmiznneeb72fhd/"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.6"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.13"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.5"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/git"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-29007"
      },
      {
        "trust": 0.1,
        "url": "https://bugs.gentoo.org."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25815"
      },
      {
        "trust": 0.1,
        "url": "https://creativecommons.org/licenses/by-sa/2.5"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-23946"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25652"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-22490"
      },
      {
        "trust": 0.1,
        "url": "https://security.gentoo.org/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42797"
      },
      {
        "trust": 0.1,
        "url": "https://developer.apple.com/xcode/downloads/"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/en-us/ht201222."
      },
      {
        "trust": 0.1,
        "url": "https://www.apple.com/support/security/pgp/"
      },
      {
        "trust": 0.1,
        "url": "https://support.apple.com/ht213496."
      },
      {
        "trust": 0.1,
        "url": "https://ubuntu.com/security/notices/usn-5686-3"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/git/1:2.37.2-1ubuntu1.1"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2023:2859"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2023:2319"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
      },
      {
        "trust": 0.1,
        "url": "https://ubuntu.com/security/notices/usn-5686-4"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "170787"
      },
      {
        "db": "PACKETSTORM",
        "id": "176313"
      },
      {
        "db": "PACKETSTORM",
        "id": "169735"
      },
      {
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "db": "PACKETSTORM",
        "id": "172366"
      },
      {
        "db": "PACKETSTORM",
        "id": "172210"
      },
      {
        "db": "PACKETSTORM",
        "id": "171570"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "170787"
      },
      {
        "db": "PACKETSTORM",
        "id": "176313"
      },
      {
        "db": "PACKETSTORM",
        "id": "169735"
      },
      {
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "db": "PACKETSTORM",
        "id": "172366"
      },
      {
        "db": "PACKETSTORM",
        "id": "172210"
      },
      {
        "db": "PACKETSTORM",
        "id": "171570"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-10-19T00:00:00",
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "date": "2022-10-18T22:32:05",
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "date": "2023-01-30T16:35:13",
        "db": "PACKETSTORM",
        "id": "170787"
      },
      {
        "date": "2023-12-27T14:55:24",
        "db": "PACKETSTORM",
        "id": "176313"
      },
      {
        "date": "2022-11-08T13:42:03",
        "db": "PACKETSTORM",
        "id": "169735"
      },
      {
        "date": "2022-11-21T15:22:01",
        "db": "PACKETSTORM",
        "id": "169954"
      },
      {
        "date": "2023-05-16T17:08:14",
        "db": "PACKETSTORM",
        "id": "172366"
      },
      {
        "date": "2023-05-09T15:18:13",
        "db": "PACKETSTORM",
        "id": "172210"
      },
      {
        "date": "2023-03-29T10:13:26",
        "db": "PACKETSTORM",
        "id": "171570"
      },
      {
        "date": "2022-10-19T11:15:11.227000",
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-02-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-435022"
      },
      {
        "date": "2024-06-10T18:15:19.643000",
        "db": "NVD",
        "id": "CVE-2022-39253"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote, local",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "170787"
      }
    ],
    "trust": 0.1
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Ubuntu Security Notice USN-5686-1",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "169416"
      }
    ],
    "trust": 0.1
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "arbitrary, code execution",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "169416"
      },
      {
        "db": "PACKETSTORM",
        "id": "170787"
      }
    ],
    "trust": 0.2
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.