{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-46835", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-30T19:41:58.135Z", "datePublished": "2025-07-10T15:09:42.735Z", "dateUpdated": "2025-11-04T21:10:52.169Z"}, "containers": {"cna": {"title": "Git GUI can create and overwrite files for which the user has write permission", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg"}, {"name": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da", "tags": ["x_refsource_MISC"], "url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da"}], "affected": [{"vendor": "j6t", "product": "git-gui", "versions": [{"version": "< 2.43.7", "status": "affected"}, {"version": ">= 2.44.0, < 2.44.4", "status": "affected"}, {"version": ">= 2.45.0, < 2.45.4", "status": "affected"}, {"version": ">= 2.46.0, < 2.46.4", "status": "affected"}, {"version": ">= 2.47.0, < 2.47.3", "status": "affected"}, {"version": ">= 2.48.0, < 2.48.2", "status": "affected"}, {"version": ">= 2.49.0, < 2.49.1", "status": "affected"}, {"version": ">= 2.50.0, < 2.50.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-10T15:09:42.735Z"}, "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}], "source": {"advisory": "GHSA-xfx7-68v4-v8fg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-10T15:53:11.968495Z", "id": "CVE-2025-46835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T15:53:21.530Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:10:52.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:10:52.169Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-10T15:53:11.968495Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T15:53:16.057Z"}}], "cna": {"title": "Git GUI can create and overwrite files for which the user has write permission", "source": {"advisory": "GHSA-xfx7-68v4-v8fg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "j6t", "product": "git-gui", "versions": [{"status": "affected", "version": "< 2.43.7"}, {"status": "affected", "version": ">= 2.44.0, < 2.44.4"}, {"status": "affected", "version": ">= 2.45.0, < 2.45.4"}, {"status": "affected", "version": ">= 2.46.0, < 2.46.4"}, {"status": "affected", "version": ">= 2.47.0, < 2.47.3"}, {"status": "affected", "version": ">= 2.48.0, < 2.48.2"}, {"status": "affected", "version": ">= 2.49.0, < 2.49.1"}, {"status": "affected", "version": ">= 2.50.0, < 2.50.1"}]}], "references": [{"url": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg", "name": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da", "name": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-10T15:09:42.735Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46835", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:10:52.169Z", "dateReserved": "2025-04-30T19:41:58.135Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-10T15:09:42.735Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."}, {"lang": "es", "value": "Git GUI permite usar las herramientas de gesti\u00f3n de control de c\u00f3digo fuente de Git mediante una interfaz gr\u00e1fica de usuario. Cuando un usuario clona un repositorio no confiable y se le induce a editar un archivo ubicado en un directorio malicioso del repositorio, la interfaz gr\u00e1fica de Git puede crear y sobrescribir archivos para los que el usuario tiene permiso de escritura. Esta vulnerabilidad est\u00e1 corregida en las versiones 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1 y 2.50.1."}], "id": "CVE-2025-46835", "lastModified": "2025-11-04T22:16:15.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-10T15:15:29.503", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da"}, {"source": "security-advisories@github.com", "url": "https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "git: Git GUI can create and overwrite files for which the user has write permission", "id": "2379326", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379326"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-88", "details": ["Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1."], "name": "CVE-2025-46835", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-07-10T15:09:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-46835\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-46835\nhttps://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da\nhttps://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg"], "statement": "Red Hat Product Security team has rated this vulnerability as having a Low severity. This is the fact the high complexity in the exploiting the vulnerability, additionally the user needs to be tricked to clone an untrusted repository and edit a file located in a directory with a maliciously crafted name.", "threat_severity": "Low"}

{}