Impact
A command argument injection flaw in TortoiseGit’s blame routine allows an attacker to craft a malicious Git history file name that is not properly neutralized, resulting in an arbitrary file write on the local system. The vulnerability, identified as CWE‑88, permits overwriting or creating arbitrary files, which could lead to unauthorized data modification or potentially execution of malicious code if the written files are later processed by the system.
Affected Systems
All versions of TortoiseGit prior to 2.19.0 are affected; the vulnerable component resides in the Blame feature of the client. No specific vendor products beyond TortoiseGit itself are listed.
Risk and Exploitability
The CVSS score of 5.5 indicates a medium severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a local or remote repository containing a malicious history file name that a user opens or pulls using TortoiseGit. While the flaw requires the victim to process the repository, it does not demand privileged access.
OpenCVE Enrichment