CVE-2023-29011
First published: Tue Apr 25 2023(Updated: )
Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted as `C:\etc\connectrc`. Since `C:\etc` can be created by any authenticated user, this makes `connect.exe` susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder `etc` on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious `<drive>:\etc\connectrc` files on multi-user machines.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Visual Studio 2017 (includes 15.0 - 15.8) | =15.9 | |
| Microsoft Visual Studio 2019 (includes 16.0 - 16.10) | =16.11 | |
| Microsoft Visual Studio 2022 | =17.6 | |
| Microsoft Visual Studio 2022 | =17.2 | |
| Microsoft Visual Studio 2022 | =17.0 | |
| Git For Windows Project Git For Windows | <2.40.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-29011?
CVE-2023-29011 is a vulnerability that affects the config file of `connect.exe` in Visual Studio 2017, 2019, and 2022.
What is the severity of CVE-2023-29011?
CVE-2023-29011 has a severity level of high with a severity value of 7.
Which software versions are affected by CVE-2023-29011?
CVE-2023-29011 affects Visual Studio 2017 (includes 15.0 - 15.8), Visual Studio 2019 (includes 16.0 - 16.10), and Visual Studio 2022.
How can I fix CVE-2023-29011?
To fix CVE-2023-29011, you should update your Visual Studio software to the latest version by following the provided remedy links.
Where can I find more information about CVE-2023-29011?
You can find more information about CVE-2023-29011 on the Microsoft Security Response Center website.
- collector/msrc
- collector/msrc-cve
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/software-canonical-lookup-request
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/description
- collector/nvd-index
- vendor/microsoft
- canonical/microsoft visual studio 2017 (includes 15.0 - 15.8)
- version/microsoft visual studio 2017 (includes 15.0 - 15.8)/15.9
- canonical/microsoft visual studio 2019 (includes 16.0 - 16.10)
- version/microsoft visual studio 2019 (includes 16.0 - 16.10)/16.11
- canonical/microsoft visual studio 2022
- version/microsoft visual studio 2022/17.6
- version/microsoft visual studio 2022/17.4
- version/microsoft visual studio 2022/17.2
- version/microsoft visual studio 2022/17.0
- vendor/git for windows project
- canonical/git for windows project git for windows