What is CVE-2022-39253?

CVE-2022-39253 is a vulnerability in Git that allows sensitive information exposure to a malicious actor.

What is the severity of CVE-2022-39253?

CVE-2022-39253 has a severity of medium.

Which software versions are affected by CVE-2022-39253?

Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 of Git are affected by CVE-2022-39253.

How can I fix CVE-2022-39253?

To fix CVE-2022-39253, update Git to version 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, or 2.37.4.

Where can I find more information about CVE-2022-39253?

You can find more information about CVE-2022-39253 on the CVE website, NIST's vulnerability database, and the Red Hat Bugzilla and Errata pages.

Vulnerability/
CVE-2022-39253

medium

5.5

CWE

200 59

18/10/2022

24/1/2024

CVE-2022-39253: Git subject to exposure of sensitive information via local clone of symbolic links

First published: Tue Oct 18 2022(Updated: )

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Credit: Cory Snider Mirantis security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/git	<0:2.39.1-1.el8	0:2.39.1-1.el8
redhat/git	<0:2.39.1-1.el9	0:2.39.1-1.el9
	<2.30.6
	>=2.31.0<2.31.5
	>=2.32.0<2.32.4
	>=2.33.0<2.33.5
	>=2.34.0<2.34.5
	>=2.35.0<2.35.5
	>=2.36.0<2.36.3
	>=2.37.0<2.37.4
	=2.38.0
	=35
	=36
	=37
	<14.1
	=10.0
Git-scm Git	<2.30.6
Git-scm Git	>=2.31.0<2.31.5
Git-scm Git	>=2.32.0<2.32.4
Git-scm Git	>=2.33.0<2.33.5
Git-scm Git	>=2.34.0<2.34.5
Git-scm Git	>=2.35.0<2.35.5
Git-scm Git	>=2.36.0<2.36.3
Git-scm Git	>=2.37.0<2.37.4
Git-scm Git	=2.38.0
Fedoraproject Fedora	=35
Fedoraproject Fedora	=36
Fedoraproject Fedora	=37
Apple Xcode	<14.1
Debian Debian Linux	=10.0
redhat/git	<2.30.6	2.30.6
redhat/git	<2.31.5	2.31.5
redhat/git	<2.32.4	2.32.4
redhat/git	<2.33.5	2.33.5
redhat/git	<2.34.5	2.34.5
redhat/git	<2.35.5	2.35.5
redhat/git	<2.36.3	2.36.3
redhat/git	<2.37.4	2.37.4
Apple Xcode	<14.1	14.1

Remedy

Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is CVE-2022-39253?
CVE-2022-39253 is a vulnerability in Git that allows sensitive information exposure to a malicious actor.
What is the severity of CVE-2022-39253?
CVE-2022-39253 has a severity of medium.
Which software versions are affected by CVE-2022-39253?
Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 of Git are affected by CVE-2022-39253.
How can I fix CVE-2022-39253?
To fix CVE-2022-39253, update Git to version 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, or 2.37.4.
Where can I find more information about CVE-2022-39253?
You can find more information about CVE-2022-39253 on the CVE website, NIST's vulnerability database, and the Red Hat Bugzilla and Errata pages.

collector/redhat-cve
collector/nvd-index
collector/mitre-cve
agent/type
agent/first-publish-date
agent/softwarecombine
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/author
agent/weakness
agent/title
agent/remedy
agent/references
agent/severity
agent/event
collector/apple-support
source/Apple
agent/last-modified-date
agent/tags
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-39253
package-manager/redhat
vendor/git-scm
canonical/git-scm git
version/git-scm git/2.31.0
version/git-scm git/2.32.0
version/git-scm git/2.33.0
version/git-scm git/2.34.0
version/git-scm git/2.35.0
version/git-scm git/2.36.0
version/git-scm git/2.37.0
version/git-scm git/2.38.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
version/fedoraproject fedora/36
version/fedoraproject fedora/37
vendor/apple
canonical/apple xcode
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0