CVE-2023-23618
8.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when gitk is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using gitk (or Git GUI's "Visualize History" functionality) in clones of untrusted repositories.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| git-for-windows | git | < 2.39.2 | affected |
Weaknesses
- CWE-426: CWE-426: Untrusted Search Path
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm
- https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c
- https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1
- https://wiki.tcl-lang.org/page/exec
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm
- https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c
- https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1
- https://wiki.tcl-lang.org/page/exec
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.