Git Releases New Security Updates to Block Remote Code Execution Attacks

Hero Approved GitHub – 2

Git has recently released new updates to address two critical security vulnerabilities that could allow hackers to launch remote code execution attacks. The company has also patched another Windows-specific flaw affecting the Git GUI tool.

Security researchers from X41 and the GitLab Security Research Team first identified the security vulnerabilities as part of an audit of the Git codebase. The first two flaws (CVE-2022-41903) and (CVE-2022-23521) exist in the commit formatting mechanism and .gitattributes parser. The security vulnerabilities specifically affect Git versions 2.39 and older as well as GitLab Community Edition (CE) and Enterprise Edition (EE).

The third vulnerability (CVE-2022-41953) is caused by an issue in the untrusted search path. It could let threat actors execute arbitrary code when cloning repositories with Git GUI. The company has yet to address the flaw, but it advises users to avoid cloning repositories with the Git GUI software or untrusted sources.

“The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges. Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input,” explained X41 security experts.

Git recommends users to upgrade to the latest version

Git urges all IT admins and customers to upgrade to Git version 2.39.1 in order to protect against security vulnerabilities. The company has also provided some recommendations for developers who can’t immediately install the latest patches.

Additionally, Git has detailed some proactive steps that can help to protect users against these types of attacks in the future. If you’re interested, we invite you to check out the blog post for details.