- Git has been found vulnerable, affected by two critical vulnerabilities both of which can result in remote code execution attacks.
- Git has released a patch to fix the issue; the older versions, down to the v2.30 series, have also received updates.
- Git urges the developers immediately update their instances because of the high severities and the possible outcomes of the vulnerabilities.
Git, a distributed version control system developed by Linus Torvalds to make it easier to develop Linux kernel, has been found vulnerable. The vulnerabilities, which are rated “Critical”, have been discovered by security experts from X41 and GitLab, and they are fixed now.
Both flaws allow remote code execution
The first vulnerability is CVE-2022-41903, which is a heap overflow in git archive and git log –format commands, which could result in a remote code execution attack. The second critical vulnerability that can be tracked as CVE-2022-23521 is an integer overflow issue in the .gitattributes parser. This vulnerability allows heap reads and writes, thus, a remote code execution attack.
These issues affect all of the Git versions, including v2.39.0, and are fixed with the v2.39.1 version. However, the instances with older versions of the distributed version control system, down to the v2.30 series, have also been updated to fix those issues. The fixed versions of Git are listed below:
- v2.30.7
- v2.31.6
- v2.32.5
- v2.33.6
- v2.34.6
- v2.35.6
- v2.36.4
- v2.37.5
- v2.37.3
- v2.38.3
- v2.39.1
Git urges the developers immediately apply the updates in order to avoid a possible attack utilizing the aforementioned vulnerabilities.