Vulnerability-Lookup

CVE-2022-41953 (GCVE-0-2022-41953)

Vulnerability from cvelistv5 – Published: 2023-01-17 21:03 – Updated: 2025-03-10 21:22

Title

Git clone remote code execution vulnerability in git-for-windows

Summary

Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

URL

Tags

	https://github.com/git-for-windows/git/security/a…	x_refsource_CONFIRM
	https://github.com/git-for-windows/git/pull/4219	x_refsource_MISC
	https://github.com/git-for-windows/git/commit/736…	x_refsource_MISC
	https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	git-for-windows	git	Affected: < 2.39.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:38.563Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
          },
          {
            "name": "https://github.com/git-for-windows/git/pull/4219",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/git-for-windows/git/pull/4219"
          },
          {
            "name": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
          },
          {
            "name": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41953",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:58:35.869270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:22:28.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "git",
          "vendor": "git-for-windows",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.39.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-17T21:03:14.721Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
        },
        {
          "name": "https://github.com/git-for-windows/git/pull/4219",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git-for-windows/git/pull/4219"
        },
        {
          "name": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
        },
        {
          "name": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
        }
      ],
      "source": {
        "advisory": "GHSA-v4px-mx59-w99c",
        "discovery": "UNKNOWN"
      },
      "title": "Git clone remote code execution vulnerability in git-for-windows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41953",
    "datePublished": "2023-01-17T21:03:14.721Z",
    "dateReserved": "2022-09-30T16:38:28.945Z",
    "dateUpdated": "2025-03-10T21:22:28.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\", \"name\": \"https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/git-for-windows/git/pull/4219\", \"name\": \"https://github.com/git-for-windows/git/pull/4219\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f\", \"name\": \"https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23\", \"name\": \"https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:56:38.563Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41953\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:58:35.869270Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:58:37.518Z\"}}], \"cna\": {\"title\": \"Git clone remote code execution vulnerability in git-for-windows\", \"source\": {\"advisory\": \"GHSA-v4px-mx59-w99c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"git-for-windows\", \"product\": \"git\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.39.1\"}]}], \"references\": [{\"url\": \"https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\", \"name\": \"https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/git-for-windows/git/pull/4219\", \"name\": \"https://github.com/git-for-windows/git/pull/4219\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f\", \"name\": \"https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23\", \"name\": \"https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-426\", \"description\": \"CWE-426: Untrusted Search Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-17T21:03:14.721Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-41953\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:22:28.600Z\", \"dateReserved\": \"2022-09-30T16:38:28.945Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-17T21:03:14.721Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-41953

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-41953

Aliases

CVE-2022-41953

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-41953",
    "id": "GSD-2022-41953"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-41953"
      ],
      "details": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources.",
      "id": "GSD-2022-41953",
      "modified": "2023-12-13T01:19:33.079119Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-41953",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "git",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.39.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "git-for-windows"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-426",
                "lang": "eng",
                "value": "CWE-426: Untrusted Search Path"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c",
            "refsource": "MISC",
            "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
          },
          {
            "name": "https://github.com/git-for-windows/git/pull/4219",
            "refsource": "MISC",
            "url": "https://github.com/git-for-windows/git/pull/4219"
          },
          {
            "name": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f",
            "refsource": "MISC",
            "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
          },
          {
            "name": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23",
            "refsource": "MISC",
            "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-v4px-mx59-w99c",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "2.39.1",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-41953"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-426"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/git-for-windows/git/pull/4219",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/git-for-windows/git/pull/4219"
            },
            {
              "name": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
            },
            {
              "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
            },
            {
              "name": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-25T14:13Z",
      "publishedDate": "2023-01-17T22:15Z"
    }
  }
}

CVE-2022-41953

Vulnerability from fstec - Published: 17.01.2023

Title

Уязвимость функции клонирования репозиториев графического инструмента Git GUI распределенной системы контроля версий Git for Windows, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость функции клонирования репозиториев графического инструмента Git GUI распределенной системы контроля версий Git for Windowst связана с использованием ненадёжного пути поиска при проверки орфографии клонированных репозиториев. Эксплуатация уязвимости может позволить нарушителю выполнить произвольный код при клонировании ненадежных репозиториев

Severity ?


                    
                      AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vendor

Microsoft Corp, Linus Torvalds, Junio Hamano

Software Name

Microsoft Visual Studio 2022, Git, Microsoft Visual Studio 2017, Microsoft Visual Studio 2019

Software Version

17.0 (Microsoft Visual Studio 2022), 17.2 (Microsoft Visual Studio 2022), 17.4 (Microsoft Visual Studio 2022), до 2.39.1 (Git), от 15.0 до 15.8 включительно (Microsoft Visual Studio 2017), от 16.0 до 16.10 включительно (Microsoft Visual Studio 2019)

Possible Mitigations

Использование рекомендаций: Для Git GUI: https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f https://github.com/git-for-windows/git/pull/4219 https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c Для продуктов Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41953 Компенсирующие меры: - не использовать Git GUI в Windows при клонировании ненадежных репозиториев.

Reference

https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c https://github.com/git-for-windows/git/pull/4219 https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23 https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/ https://www.cybersecurity-help.cz/vdb/SB2023011739 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41953

CWE

CWE-426

JSON

To clipboard

{
  "CVSS 2.0": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO708",
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO708 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Visual Studio 2019 16.11.30",
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Microsoft Corp, Linus Torvalds, Junio Hamano",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "17.0 (Microsoft Visual Studio 2022), 17.2 (Microsoft Visual Studio 2022), 17.4 (Microsoft Visual Studio 2022), \u0434\u043e 2.39.1 (Git), \u043e\u0442 15.0 \u0434\u043e 15.8 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Microsoft Visual Studio 2017), \u043e\u0442 16.0 \u0434\u043e 16.10 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Microsoft Visual Studio 2019)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Git GUI:\nhttps://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f\t\nhttps://github.com/git-for-windows/git/pull/4219\t\nhttps://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Microsoft:\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41953\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c Git GUI \u0432 Windows \u043f\u0440\u0438 \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0445 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432.",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.01.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "10.10.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "08.02.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-00599",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-41953",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Microsoft Visual Studio 2022, Git, Microsoft Visual Studio 2017, Microsoft Visual Studio 2019",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Microsoft Corp Windows - ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432 \u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 Git GUI \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0432\u0435\u0440\u0441\u0438\u0439 Git for Windows, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0439 \u043f\u0443\u0442\u044c \u043f\u043e\u0438\u0441\u043a\u0430 (CWE-426)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432 \u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 Git GUI \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0432\u0435\u0440\u0441\u0438\u0439 Git for Windowst \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0435\u043d\u0430\u0434\u0451\u0436\u043d\u043e\u0433\u043e \u043f\u0443\u0442\u0438 \u043f\u043e\u0438\u0441\u043a\u0430 \u043f\u0440\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u043e\u0440\u0444\u043e\u0433\u0440\u0430\u0444\u0438\u0438 \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0440\u0438 \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0445 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u0435\u0432",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c\nhttps://github.com/git-for-windows/git/pull/4219\nhttps://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23\nhttps://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/\nhttps://www.cybersecurity-help.cz/vdb/SB2023011739\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41953",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-426",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,2)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,6)"
}

FKIE_CVE-2022-41953

Vulnerability from fkie_nvd - Published: 2023-01-17 22:15 - Updated: 2024-11-21 07:24

Severity ?

8.6 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/git-for-windows/git/pull/4219	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c	Patch, Third Party Advisory
security-advisories@github.com	https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/git-for-windows/git/pull/4219	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23	Third Party Advisory

Impacted products

	Vendor	Product	Version
	git-scm	git	*
	microsoft	windows	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A20392B8-194B-4CF5-AC5F-BADD4BA6F8BB",
              "versionEndExcluding": "2.39.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources."
    },
    {
      "lang": "es",
      "value": "Git GUI es una pr\u00e1ctica herramienta gr\u00e1fica que viene con Git para Windows. Su p\u00fablico objetivo son los usuarios que no se sienten c\u00f3modos usando Git en la l\u00ednea de comandos. Git GUI tiene una funci\u00f3n para clonar repositorios. Inmediatamente despu\u00e9s de que el clon local est\u00e9 disponible, la GUI de Git lo procesar\u00e1 autom\u00e1ticamente y, entre otras cosas, ejecutar\u00e1 un corrector ortogr\u00e1fico llamado `aspell.exe` si se encuentra. La GUI de Git se implementa como un script Tcl/Tk. Debido al desafortunado dise\u00f1o de Tcl en Windows, la ruta de b\u00fasqueda cuando se busca un ejecutable _siempre incluye el directorio actual_. Por lo tanto, los repositorios maliciosos pueden incluir un `aspell.exe` en su directorio de nivel superior que se ejecuta mediante la GUI de Git sin darle al usuario la oportunidad de inspeccionarlo primero, es decir, ejecutando c\u00f3digo que no es de confianza. Este problema se solucion\u00f3 en la versi\u00f3n 2.39.1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben evitar usar la GUI de Git para la clonaci\u00f3n. Si esa no es una opci\u00f3n viable, al menos evite la clonaci\u00f3n de fuentes no confiables."
    }
  ],
  "id": "CVE-2022-41953",
  "lastModified": "2024-11-21T07:24:08.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-01-17T22:15:10.747",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/pull/4219"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/pull/4219"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-426"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-41953 (GCVE-0-2022-41953)

GSD-2022-41953

CVE-2022-41953

FKIE_CVE-2022-41953

Tags

Sightings

Nomenclature