Published: 12/07/2022 Updated: 14/01/2024

CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 614

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Vulnerable Product	Search on Vulmon	Subscribe to Product
git-scm git
fedoraproject fedora 35
fedoraproject fedora 36
fedoraproject fedora 37
apple xcode
debian debian linux 10.0

Debian Bug report logs - #1014848 git: CVE-2022-29187 Package: src:git; Maintainer for src:git is Jonathan Nieder <jrnieder@gmailcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 13 Jul 2022 07:06:04 UTC Severity: important Tags: security, upstream Found in version git/1:2361-1 Reply or ...

Git could be made to run arbitrary commands as an administrator if it received specially crafted inputs ...

Synopsis Moderate: git security and bug fix update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for git is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having ...

Synopsis Moderate: git security and bug fix update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for git is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having ...

A vulnerability was found in Git This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration This issue allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository (CVE-2022-29187 ...

Git is a distributed revision control system Git prior to versions 2371, 2362, 2354, 2344, 2334, 2323, 2314, and 2305, is vulnerable to privilege escalation in all platforms An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is ...

Severity Unknown Remote Unknown Type Unknown Description AVG-2778 git 2370-1 2371-1 Unknown Fixed ...

A vulnerability was found in Git This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration This issue allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository (CVE-2022-29187 ...

ALAS-2022-236 Amazon Linux 2022 Security Advisory: ALAS-2022-236 Advisory Release Date: 2022-12-06 16:43 Pacific ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-427 CWE-282 https://github.blog/2022-04-12-git-security-vulnerability-announced https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v http://www.openwall.com/lists/oss-security/2022/07/14/1 https://support.apple.com/kb/HT213496 http://seclists.org/fulldisclosure/2022/Nov/1 https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html https://lore.kernel.org/git/xmqqv8s2fefi.fsf%40gitster.g/T/#u https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/https://security.gentoo.org/glsa/202312-15 https://security.gentoo.org/glsa/202401-17 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014848 https://ubuntu.com/security/notices/USN-5511-1 https://nvd.nist.gov https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11 https://alas.aws.amazon.com/AL2/ALAS-2022-1820.html

CVE-2022-29187

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect