{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39260", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.573Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-19T00:00:00"}, "containers": {"cna": {"title": "Git vulnerable to Remote Code Execution via Heap overflow in `git shell`", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-27T10:06:16.422068"}, "descriptions": [{"lang": "en", "value": "Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround."}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": "< 2.30.6", "status": "affected"}, {"version": "> 2.31.0, < 2.31.5", "status": "affected"}, {"version": "> 2.32.0, < 2.32.4", "status": "affected"}, {"version": "> 2.33.0, < 2.33.5", "status": "affected"}, {"version": "> 2.34.0, < 2.34.5", "status": "affected"}, {"version": "> 2.34.0, < 2.35.5", "status": "affected"}, {"version": "> 2.35.0, < 2.36.3", "status": "affected"}, {"version": "> 2.37.0, < 2.37.4", "status": "affected"}]}], "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6"}, {"name": "FEDORA-2022-8b58806840", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/"}, {"url": "https://support.apple.com/kb/HT213496"}, {"name": "FEDORA-2022-53aadd995f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/"}, {"name": "20221107 APPLE-SA-2022-11-01-1 Xcode 14.1", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/Nov/1"}, {"name": "FEDORA-2022-fb088df94c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/"}, {"name": "[debian-lts-announce] 20221213 [SECURITY] [DLA 3239-1] git security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"}, {"name": "GLSA-202312-15", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202312-15"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "cweId": "CWE-787"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "cweId": "CWE-122"}]}], "source": {"advisory": "GHSA-rjr6-wcq6-83p6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.573Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-8b58806840", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/"}, {"url": "https://support.apple.com/kb/HT213496", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-53aadd995f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/"}, {"name": "20221107 APPLE-SA-2022-11-01-1 Xcode 14.1", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Nov/1"}, {"name": "FEDORA-2022-fb088df94c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/"}, {"name": "[debian-lts-announce] 20221213 [SECURITY] [DLA 3239-1] git security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"}, {"name": "GLSA-202312-15", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202312-15"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "28199E8F-36D0-46F8-AF0A-9460390BE56F", "versionEndExcluding": "2.30.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "E095AAE7-18C2-4957-9740-FC804860B9C2", "versionEndExcluding": "2.31.5", "versionStartIncluding": "2.31.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "459EE43E-40FB-45BE-A1CC-51435E9F92AD", "versionEndExcluding": "2.32.4", "versionStartIncluding": "2.32.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CBDDA42-F5EC-4747-BF3C-16683D684702", "versionEndExcluding": "2.33.5", "versionStartIncluding": "2.33.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7691E22-145E-4D97-A6E0-6515742781B9", "versionEndExcluding": "2.34.5", "versionStartIncluding": "2.34.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "E02396C2-BB34-4D18-917E-DA56EA7B58B9", "versionEndExcluding": "2.35.5", "versionStartIncluding": "2.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "51BEAEEC-9D9D-4CFE-8958-43BFE87DE501", "versionEndExcluding": "2.36.3", "versionStartIncluding": "2.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "566CF89C-AC39-47D7-B3DE-633B2237F816", "versionEndExcluding": "2.37.4", "versionStartIncluding": "2.37.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.38.0:*:*:*:*:*:*:*", "matchCriteriaId": "1AFEECCB-B8DB-4270-A860-C2BA1C7B267C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "matchCriteriaId": "CECD39AA-41F4-4638-B59A-C5E928B585C3", "versionEndExcluding": "14.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround."}, {"lang": "es", "value": "Git es un sistema de control de revisiones distribuido, escalable y de c\u00f3digo abierto. \"git shell\" es un shell de acceso restringido que puede ser usado para implementar la funcionalidad push/pull de Git por medio de SSH. En versiones anteriores a 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4, la funci\u00f3n que divide los argumentos del comando en un array usa incorrectamente un \"int\" para representar el n\u00famero de entradas en el array, permitiendo a un actor malicioso desbordar intencionadamente el valor de retorno, conllevando a escrituras arbitrarias en la pila. Dado que la matriz resultante es pasada a \"execv()\", es posible aprovechar este ataque para obtener la ejecuci\u00f3n de c\u00f3digo remota en una m\u00e1quina v\u00edctima. Tenga en cuenta que una v\u00edctima debe permitir primero el acceso a \"git shell\" como shell de inicio de sesi\u00f3n para ser vulnerable a este ataque. Este problema est\u00e1 parcheado en versiones 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 y es recomendado a usuarios actualizar a la \u00faltima versi\u00f3n. Deshabilitar el acceso al \"git shell\" por medio de inicios de sesi\u00f3n remotos es una mitigaci\u00f3n viable a corto plazo"}], "id": "CVE-2022-39260", "lastModified": "2023-12-27T10:15:37.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-19T12:15:10.160", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Nov/1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/"}, {"source": "security-advisories@github.com", "url": "https://security.gentoo.org/glsa/202312-15"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213496"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2859", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.39.1-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:0407", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "git-0:2.31.8-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2023:2319", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "git-0:2.39.1-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "git: git shell function that splits command arguments can lead to arbitrary heap writes.", "id": "2137423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137423"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround."], "mitigation": {"lang": "en:us", "value": "Disabling `git shell` access via remote logins is a viable short-term workaround."}, "name": "CVE-2022-39260", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-git227-git", "product_name": "Red Hat Software Collections"}], "public_date": "2022-10-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-39260\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-39260"], "threat_severity": "Moderate", "upstream_fix": "git 2.30.6, git 2.31.5, git 2.32.4, git 2.33.5, git 2.34.5, git 2.35.5, git 2.36.3, git 2.37.4"}