First published: Thu Apr 20 2023(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2023-25652">CVE-2023-25652</a> By feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch).
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Visual Studio 2017 (includes 15.0 - 15.8) | =15.9 | |
redhat/git | <0:1.8.3.1-25.el7_9 | 0:1.8.3.1-25.el7_9 |
redhat/git | <0:2.39.3-1.el8_8 | 0:2.39.3-1.el8_8 |
redhat/git | <0:2.18.4-3.el8_1 | 0:2.18.4-3.el8_1 |
redhat/git | <0:2.18.4-4.el8_2 | 0:2.18.4-4.el8_2 |
redhat/git | <0:2.27.0-4.el8_4 | 0:2.27.0-4.el8_4 |
redhat/git | <0:2.31.1-4.el8_6 | 0:2.31.1-4.el8_6 |
redhat/git | <0:2.39.3-1.el9_2 | 0:2.39.3-1.el9_2 |
redhat/git | <0:2.31.1-5.el9_0 | 0:2.31.1-5.el9_0 |
redhat/rh-git227-git | <0:2.27.0-6.el7 | 0:2.27.0-6.el7 |
Microsoft Visual Studio 2019 (includes 16.0 - 16.10) | =16.11 | |
Git-scm Git | <2.30.9 | |
Git-scm Git | >=2.31.0<2.31.8 | |
Git-scm Git | >=2.32.0<2.32.7 | |
Git-scm Git | >=2.33.0<2.33.8 | |
Git-scm Git | >=2.34.0<2.34.8 | |
Git-scm Git | >=2.35.0<2.35.8 | |
Git-scm Git | >=2.36.0<2.36.6 | |
Git-scm Git | >=2.37.0<2.37.7 | |
Git-scm Git | >=2.38.0<2.38.5 | |
Git-scm Git | >=2.39.0<2.39.3 | |
Git-scm Git | =2.40.0 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Microsoft Visual Studio 2022 | =17.0 | |
Microsoft Visual Studio 2022 | =17.4 | |
Microsoft Visual Studio 2022 | =17.2 | |
IBM QRadar SIEM | <=7.5.0 - 7.5.0 UP6 | |
debian/git | <=1:2.30.2-1+deb11u2 | 1:2.30.2-1+deb11u3 1:2.39.5-0+deb12u1 1:2.45.2-1 1:2.45.2-1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-25652 refers to a vulnerability in Git that allows an attacker to overwrite a file outside of the working tree with partially controlled contents.
CVE-2023-25652 has a severity rating of high.
The vulnerability affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1.
To fix CVE-2023-25652, you should update Git to version 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1.
You can find more information about CVE-2023-25652 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2023-25652), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189765), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189766).