Description
CVE-2023-23946 references github.com/git/git, which may be a Go module.
Description:
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-23946
- JSON: https://github.com/CVEProject/cvelist/tree/2b08966df381245f84f2f5bc69b8e94f2e49734a/2023/23xxx/CVE-2023-23946.json
- fix: git/git@c867e4f
- web: GHSA-r87m-v37r-cwfh
- Imported by: https://pkg.go.dev/github.com/git/git?tab=importedby
Cross references:
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-29187 #513 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39253 #1068 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39260 #1069 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-23521 #1499 NOT_GO_CODE
- Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-41903 #1500 NOT_GO_CODE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/git/git
packages:
- package: git
description: |
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
cves:
- CVE-2023-23946
references:
- fix: https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
- web: https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh