CVE-2023-23618 - Vulnerability Details - OpenCVE

Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using `gitk` (or Git GUI's "Visualize History" functionality) in clones of untrusted repositories.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Git For Windows Project	Git For Windows

Configuration 1 [-]

cpe:2.3:a:git_for_windows_project:git_for_windows:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c
https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1
https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm
https://wiki.tcl-lang.org/page/exec

History

Mon, 10 Mar 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-14T20:38:04.921Z

Updated: 2025-03-10T21:11:24.730Z

Reserved: 2023-01-16T17:07:46.243Z

Link: CVE-2023-23618

Vulnrichment

Updated: 2024-08-02T10:35:33.594Z

NVD

Status : Modified

Published: 2023-02-14T21:15:13.170

Modified: 2024-11-21T07:46:32.707

Link: CVE-2023-23618

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23618", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.243Z", "datePublished": "2023-02-14T20:38:04.921Z", "dateUpdated": "2025-03-10T21:11:24.730Z"}, "containers": {"cna": {"title": "gitk can inadvertently call executables in the worktree", "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm"}, {"name": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c"}, {"name": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1"}, {"name": "https://wiki.tcl-lang.org/page/exec", "tags": ["x_refsource_MISC"], "url": "https://wiki.tcl-lang.org/page/exec"}], "affected": [{"vendor": "git-for-windows", "product": "git", "versions": [{"version": "< 2.39.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-14T20:38:04.921Z"}, "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using `gitk` (or Git GUI's \"Visualize History\" functionality) in clones of untrusted repositories.\n"}], "source": {"advisory": "GHSA-wxwv-49qw-35pm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.594Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm"}, {"name": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c"}, {"name": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1"}, {"name": "https://wiki.tcl-lang.org/page/exec", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.tcl-lang.org/page/exec"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T20:57:52.068886Z", "id": "CVE-2023-23618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T21:11:24.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "name": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "name": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://wiki.tcl-lang.org/page/exec", "name": "https://wiki.tcl-lang.org/page/exec", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.594Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-23618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-10T20:57:52.068886Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T20:57:53.394Z"}}], "cna": {"title": "gitk can inadvertently call executables in the worktree", "source": {"advisory": "GHSA-wxwv-49qw-35pm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "git-for-windows", "product": "git", "versions": [{"status": "affected", "version": "< 2.39.2"}]}], "references": [{"url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "name": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "name": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1", "tags": ["x_refsource_MISC"]}, {"url": "https://wiki.tcl-lang.org/page/exec", "name": "https://wiki.tcl-lang.org/page/exec", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using `gitk` (or Git GUI's \"Visualize History\" functionality) in clones of untrusted repositories.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-14T20:38:04.921Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23618", "state": "PUBLISHED", "dateUpdated": "2025-03-10T21:11:24.730Z", "dateReserved": "2023-01-16T17:07:46.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-02-14T20:38:04.921Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git_for_windows_project:git_for_windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "613F976A-860B-4267-8364-74D7BC74030D", "versionEndExcluding": "2.39.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when `gitk` is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using `gitk` (or Git GUI's \"Visualize History\" functionality) in clones of untrusted repositories.\n"}, {"lang": "es", "value": "Git para Windows es el puerto de Windows del sistema de control de revisiones Git. Antes de Git para Windows versi\u00f3n 2.39.2, cuando `gitk` se ejecuta en Windows, potencialmente ejecuta archivos ejecutables del directorio actual sin darse cuenta, lo que puede explotarse con algo de ingenier\u00eda social para enga\u00f1ar a los usuarios para que ejecuten c\u00f3digo que no es de confianza. Hay un parche disponible en la versi\u00f3n 2.39.2. Como workaround, evite usar `gitk` (o la funcionalidad \"Visualizar historial\" de Git GUI) en clones de repositorios que no sean de confianza."}], "id": "CVE-2023-23618", "lastModified": "2024-11-21T07:46:32.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-14T21:15:13.170", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://wiki.tcl-lang.org/page/exec"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.39.2.windows.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://wiki.tcl-lang.org/page/exec"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}]}