Important notice for Git users. Two critical vulnerabilities, identified as CVE-2022-23521 and CVE-2022-41903, found in Git could allow for remote code execution by a malicious actor. These vulnerabilities affect versions v2.30.6 to v2.39.0 of Git, and the maintainers have released patched versions v2.30.7 to v2.39.1 to address them.
CVE-2022-23521, the most severe vulnerability, allows for heap-based memory corruption during clone or pull operations, potentially leading to code execution. CVE-2022-41903 is triggered during an archive operation, leading to code execution through an integer overflow flaw when formatting commit logs.
Security researchers Markus Vervier, Eric Sesterhenn, and Joern Schneeweisz from X41 D-Sec and GitLab have been credited with reporting the bugs. Additionally, several integer-related issues were identified that may cause denial-of-service situations, out-of-bound reads, or mishandled corner cases with large input.
It is important to note that these vulnerabilities can be exploited by a malicious actor, who could use them to gain unauthorized access to sensitive information, disrupt operations, or cause other harm.
What to do?
It is recommended that users of Git update to the patched versions as soon as possible to protect against potential attacks. Moreover, users should also be aware of the potential risks associated with untrusted repositories and take necessary measures to secure them.
Git recommends disabling “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 when updating to the latest version is not possible. GitLab has also released versions 15.7.5, 15.6.6, and 15.5.9 for both Community and Enterprise Editions to address the vulnerabilities and urges customers to apply the fixes immediately.
Additionally, Git users should also be aware of the best practices for securing their source code version control systems and take steps to ensure that they are following them.
With CloudWize you can easily add your Bitbucket, Github and/ or Gitlab repository for risk scanning.
Learn more about Infrastructure As Code (IAC) Risks Scanning.
It’s always a good idea to keep your software up to date and also to be aware of the potential vulnerabilities that your systems may have and take steps to mitigate them. This is crucial to keep your systems and data safe.