First published: Thu Apr 20 2023(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2023-29007">CVE-2023-29007</a> When renaming or deleting a section from a configuration file,certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Visual Studio 2017 (includes 15.0 - 15.8) | =15.9 | |
redhat/git | <0:1.8.3.1-25.el7_9 | 0:1.8.3.1-25.el7_9 |
redhat/git | <0:2.39.3-1.el8_8 | 0:2.39.3-1.el8_8 |
redhat/git | <0:2.18.4-3.el8_1 | 0:2.18.4-3.el8_1 |
redhat/git | <0:2.18.4-4.el8_2 | 0:2.18.4-4.el8_2 |
redhat/git | <0:2.27.0-4.el8_4 | 0:2.27.0-4.el8_4 |
redhat/git | <0:2.31.1-4.el8_6 | 0:2.31.1-4.el8_6 |
redhat/git | <0:2.39.3-1.el9_2 | 0:2.39.3-1.el9_2 |
redhat/git | <0:2.31.1-5.el9_0 | 0:2.31.1-5.el9_0 |
redhat/rh-git227-git | <0:2.27.0-6.el7 | 0:2.27.0-6.el7 |
Microsoft Visual Studio 2019 (includes 16.0 - 16.10) | =16.11 | |
Git-scm Git | <2.30.9 | |
Git-scm Git | >=2.31.0<2.31.8 | |
Git-scm Git | >=2.32.0<2.32.7 | |
Git-scm Git | >=2.33.0<2.33.8 | |
Git-scm Git | >=2.34.0<2.34.8 | |
Git-scm Git | >=2.35.0<2.35.8 | |
Git-scm Git | >=2.36.0<2.36.5 | |
Git-scm Git | >=2.37.0<2.37.7 | |
Git-scm Git | >=2.38.0<2.38.5 | |
Git-scm Git | >=2.39.0<2.39.3 | |
Git-scm Git | =2.40.0 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Microsoft Visual Studio 2022 | =17.0 | |
Microsoft Visual Studio 2022 | =17.6 | |
Microsoft Visual Studio 2022 | =17.2 | |
Fedoraproject Fedora | =36 | |
IBM QRadar SIEM | <=7.5.0 - 7.5.0 UP6 | |
debian/git | <=1:2.30.2-1+deb11u2<=1:2.39.2-1.1 | 1:2.30.2-1+deb11u3 1:2.39.5-0+deb12u1 1:2.45.2-1 1:2.45.2-1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-29007 is an arbitrary configuration injection vulnerability in Git that allows exploitation via the 'git submodule deinit' command when handling specially crafted .gitmodules files.
The severity of CVE-2023-29007 is high, with a CVSS score of 7.8.
CVE-2023-29007 affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1.
CVE-2023-29007 can be exploited by providing a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters when using the 'git submodule deinit' command.
Yes, upgrading Git to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1 will mitigate the vulnerability.