Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2022-31012 #514

Closed
GoVulnBot opened this issue Jul 12, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/git-for-windows/git: CVE-2022-31012 #514

GoVulnBot opened this issue Jul 12, 2022 · 1 comment
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2022-31012 references github.com/git-for-windows/git, which may be a Go module.

Description:
Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into C:\mingw64\bin\git.exe by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the C:\mingw64 folder and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in C:\.

Links:

See doc/triage.md for instructions on how to triage this report.

packages:
  - module: github.com/git-for-windows/git
    package: git
description: |
    Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the `C:\mingw64` folder  and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in `C:\`.
cves:
  - CVE-2022-31012
links:
    context:
      - https://github.com/git-for-windows/git/releases/tag/v2.37.1.windows.1
      - https://github.com/git-for-windows/git/security/advisories/GHSA-gjrj-fxvp-hjj2
@neild neild self-assigned this Jul 27, 2022
@neild
Copy link
Contributor

neild commented Jul 27, 2022

Not Go.

@neild neild closed this as completed Jul 27, 2022
@neild neild added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed NotGoVuln labels Aug 11, 2022
@GoVulnBot GoVulnBot mentioned this issue Jan 17, 2023
Closed
This was referenced Feb 14, 2023
Closed
Closed
This was referenced Apr 25, 2023
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @GoVulnBot