First published: Tue Feb 14 2023(Updated: )
Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, by carefully crafting DLL and putting into a subdirectory of a specific name living next to the Git for Windows installer, Windows can be tricked into side-loading said DLL. This potentially allows users with local write access to place malicious payloads in a location where automated upgrades might run the Git for Windows installer with elevation. Version 2.39.2 contains a patch for this issue. Some workarounds are available. Never leave untrusted files in the Downloads folder or its sub-folders before executing the Git for Windows installer, or move the installer into a different directory before executing it.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Visual Studio 2017 (includes 15.0 - 15.8) | =15.9 | |
Microsoft Visual Studio 2019 (includes 16.0 - 16.10) | =16.11 | |
Microsoft Visual Studio 2022 | =17.2 | |
Microsoft Visual Studio 2022 | =17.5 | |
Microsoft Visual Studio 2022 | =17.0 | |
Git For Windows Project Git For Windows | <2.39.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22743 is a vulnerability in Git for Windows that allows for an elevation of privilege.
By carefully crafting a DLL and putting it into a subdirectory with a specific name next to the Git for Windows installer, Windows can be tricked into side-loading the DLL.
CVE-2023-22743 has a severity rating of 7.3, which is considered high.
Git for Windows versions prior to 2.39.2 are affected by CVE-2023-22743.
To fix CVE-2023-22743, update Git for Windows to version 2.39.2 or newer.