{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-19T21:12:31.362Z", "datePublished": "2023-02-14T19:48:00.554Z", "dateUpdated": "2025-02-13T16:44:12.269Z"}, "containers": {"cna": {"title": "Git's `git apply` overwriting paths outside the working tree", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"}, {"name": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd", "tags": ["x_refsource_MISC"], "url": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd"}, {"url": "https://security.gentoo.org/glsa/202312-15"}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": ">= 2.39.0, < 2.39.2", "status": "affected"}, {"version": ">= 2.38.0, < 2.38.4", "status": "affected"}, {"version": ">= 2.37.0, < 2.37.6", "status": "affected"}, {"version": ">= 2.36.0, < 2.36.5", "status": "affected"}, {"version": ">= 2.35.0, < 2.35.7", "status": "affected"}, {"version": ">= 2.34.0, < 2.34.7", "status": "affected"}, {"version": ">= 2.33.0, < 2.33.7", "status": "affected"}, {"version": ">= 2.32.0, < 2.32.6", "status": "affected"}, {"version": ">= 2.31.0, < 2.31.7", "status": "affected"}, {"version": "< 2.30.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-27T10:06:31.121Z"}, "descriptions": [{"lang": "en", "value": "Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link."}], "source": {"advisory": "GHSA-r87m-v37r-cwfh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:49:07.949Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"}, {"name": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd"}, {"url": "https://security.gentoo.org/glsa/202312-15", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "A79D6A15-AE40-4F6C-AA1F-87C902373343", "versionEndExcluding": "2.30.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "D60B37A3-4B8C-4BC2-95E9-5E63EDAEBA3A", "versionEndExcluding": "2.31.7", "versionStartIncluding": "2.31.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "E699ED14-3B80-4C04-AAA0-549F48581D66", "versionEndExcluding": "2.32.6", "versionStartIncluding": "2.32.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "804BE43B-E2AF-4EC8-BF8B-C292EBC4D265", "versionEndExcluding": "2.33.7", "versionStartIncluding": "2.33.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "098C9D07-94CD-4C87-9268-20ED94BBBE12", "versionEndExcluding": "2.34.7", "versionStartIncluding": "2.34.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "1870DF30-7795-4594-8523-DC587B60FB74", "versionEndExcluding": "2.35.7", "versionStartIncluding": "2.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "0588D372-41D2-442E-976E-6B24DB1A1EC6", "versionEndExcluding": "2.36.5", "versionStartIncluding": "2.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDF24A4B-BC6D-499D-A0B2-2F90C691F963", "versionEndExcluding": "2.37.6", "versionStartIncluding": "2.37.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7E6A7FF-F1E2-4099-9102-65F68AA42E1B", "versionEndExcluding": "2.38.4", "versionStartIncluding": "2.38.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "52B03913-E564-4AE0-9F2E-BEAEEA13C85A", "versionEndExcluding": "2.39.2", "versionStartIncluding": "2.39.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link."}], "id": "CVE-2023-23946", "lastModified": "2024-11-21T07:47:09.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-14T20:15:17.457", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"}, {"source": "security-advisories@github.com", "url": "https://security.gentoo.org/glsa/202312-15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202312-15"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3246", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.39.3-1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:0407", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "git-0:2.31.8-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2023:3245", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "git-0:2.39.3-1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-22T00:00:00Z"}], "bugzilla": {"description": "git: git apply: a path outside the working tree can be overwritten with crafted input", "id": "2168161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168161"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.", "A vulnerability was found in Git. This security issue occurs when feeding a crafted input to \"git apply.\" A path outside the working tree can be overwritten by the user running \"git apply.\""], "mitigation": {"lang": "en:us", "value": "Use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link."}, "name": "CVE-2023-23946", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat JBoss Data Grid 7"}], "public_date": "2023-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-23946\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-23946\nhttps://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/\nhttps://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"], "statement": "This vulnerability marked as Moderate severity and it's less likely to be exploitable because it requires a specially crafted malicious patch to be applied via git apply, to overwrite files outside the working tree of the user running git apply. This could lead to some compromise of integrity of resources under certain circumstances, however it does not compromise the whole system or gain additional privileges to execute arbitrary code, or allow remote users to cause a denial of service.", "threat_severity": "Moderate"}