CVE-2022-39260: Git vulnerable to Remote Code Execution via Heap overflow in `git shell`
First published: Tue Oct 18 2022(Updated: )
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
Credit: Kevin Backhouse the GitHub Security Lab security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/git | <0:2.39.1-1.el8 | 0:2.39.1-1.el8 |
| redhat/git | <0:2.39.1-1.el9 | 0:2.39.1-1.el9 |
| <2.30.6 | ||
| >=2.31.0<2.31.5 | ||
| >=2.32.0<2.32.4 | ||
| >=2.33.0<2.33.5 | ||
| >=2.34.0<2.34.5 | ||
| >=2.35.0<2.35.5 | ||
| >=2.36.0<2.36.3 | ||
| >=2.37.0<2.37.4 | ||
| =2.38.0 | ||
| =35 | ||
| =36 | ||
| =37 | ||
| <14.1 | ||
| =10.0 | ||
| Git-scm Git | <2.30.6 | |
| Git-scm Git | >=2.31.0<2.31.5 | |
| Git-scm Git | >=2.32.0<2.32.4 | |
| Git-scm Git | >=2.33.0<2.33.5 | |
| Git-scm Git | >=2.34.0<2.34.5 | |
| Git-scm Git | >=2.35.0<2.35.5 | |
| Git-scm Git | >=2.36.0<2.36.3 | |
| Git-scm Git | >=2.37.0<2.37.4 | |
| Git-scm Git | =2.38.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Apple Xcode | <14.1 | |
| Debian Debian Linux | =10.0 | |
| redhat/git | <2.30.6 | 2.30.6 |
| redhat/git | <2.31.5 | 2.31.5 |
| redhat/git | <2.32.4 | 2.32.4 |
| redhat/git | <2.33.5 | 2.33.5 |
| redhat/git | <2.34.5 | 2.34.5 |
| redhat/git | <2.35.5 | 2.35.5 |
| redhat/git | <2.36.3 | 2.36.3 |
| redhat/git | <2.37.4 | 2.37.4 |
| Apple Xcode | <14.1 | 14.1 |
Remedy
Disabling `git shell` access via remote logins is a viable short-term workaround.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-39260 https://nvd.nist.gov/vuln/detail/CVE-2022-39260
- https://bugzilla.redhat.com/show_bug.cgi?id=2137423
- https://access.redhat.com/errata/RHSA-2023:2859
- https://access.redhat.com/errata/RHSA-2023:2319
- https://access.redhat.com/security/cve/cve-2022-39260
- http://seclists.org/fulldisclosure/2022/Nov/1
- https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6
- https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
- https://support.apple.com/kb/HT213496
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
- https://security.gentoo.org/glsa/202312-15
- https://support.apple.com/en-us/HT213496 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2137427
- https://access.redhat.com/errata/RHSA-2024:0407
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2022-39260.
What is the severity of CVE-2022-39260?
The severity of CVE-2022-39260 is high with a CVSS score of 8.8.
What is the affected software?
The affected software includes Apple Xcode version up to 14.1 and Git versions up to 2.37.4.
How does this vulnerability affect Git?
This vulnerability in Git allows an attacker to exploit the function that splits the command using a specially crafted path and execute arbitrary code.
What is the fix for this vulnerability?
To fix this vulnerability, it is recommended to update Git to version 2.37.4 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/remedy
- agent/title
- agent/severity
- agent/event
- collector/apple-support
- source/Apple
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-39260
- agent/last-modified-date
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/git-scm
- canonical/git-scm git
- version/git-scm git/2.31.0
- version/git-scm git/2.32.0
- version/git-scm git/2.33.0
- version/git-scm git/2.34.0
- version/git-scm git/2.35.0
- version/git-scm git/2.36.0
- version/git-scm git/2.37.0
- version/git-scm git/2.38.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/apple
- canonical/apple xcode
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0