Git is an extensively used revision control system that helps developers manage their code bases. However, a newly discovered vulnerability affects multiple versions of Git and can potentially expose sensitive files to be included in malicious repositories, ultimately putting your data at risk of exfiltration. In this blog post, we will discuss the details of this vulnerability, CVE-2023-22490, review the affected Git versions, and provide helpful guidance on mitigating the risk.
Exploit Details
CVE-2023-22490 is a vulnerability in Git which can trick the system into employing its local clone optimization even when using a non-local transport. While Git does prevent local clones containing symbolic links from the $GIT_DIR/objects directory, the directory itself still may be a symbolic link. An attacker can take advantage of this to include arbitrary files in the malicious repository's working copy based on known paths on the victim's filesystem, allowing for data exfiltration similar to CVE-2022-39253.
2.39.2
These versions are scheduled for patching, and the fix will appear in the respective updated versions.
Mitigation Strategies
To decrease the risk of data exposure, it is highly recommended that you update your Git installation to a version with the vulnerability fix. If upgrading is not a viable option, consider implementing the following short-term workarounds:
1. When cloning repositories from untrusted sources, avoid using the --recurse-submodules flag. Instead, clone repositories without recursively cloning their submodules.
Example Code
$ git clone https://untrusted-source.example/repo.git
$ cd repo
$ git submodule update --init --recursive
2. After cloning a repository and before performing the git submodule update command, inspect the contents of each new .gitmodules file to ensure that it does not contain suspicious module URLs.
Example Code
$ cat .gitmodules
Remember, these workarounds should be considered temporary, and the best course of action to protect your data is to upgrade your Git installation to a fixed version as soon as possible.
Conclusion
CVE-2023-22490 is a serious vulnerability affecting multiple versions of Git, and timely action is crucial to safeguard your sensitive data. Keep your Git installation updated regularly to ensure you are protected from this and other vulnerabilities. Stay alert, exercise caution when cloning repositories from untrusted sources, and be proactive about implementing mitigations to avert any potential risks.
For further information, please refer to the original CVE-2023-22490 report and follow updates on the Git security mailing list.
Timeline
Published on: 02/14/2023 20:15:00 UTC
Last modified on: 02/23/2023 22:24:00 UTC