← back
CVE-2023-25652

"git apply --reject" partially-controlled arbitrary file write

CVSS 7.5 HIGHEPSS 52.2%CWE-22
In short

Git's `git apply --reject` command can be tricked into writing files outside the intended project folder, potentially overwriting important system files. This happens when processing maliciously crafted patches, allowing attackers to damage or compromise systems.

Technical detail

A path traversal vulnerability (CWE-22) in Git versions prior to 2.30.9 through 2.40.1 allows an attacker to overwrite arbitrary files outside the repository working tree via specially crafted patches supplied to `git apply --reject`. The vulnerability is triggered during rejection file generation; exploitation requires the victim to apply an untrusted patch using the `--reject` flag.

Summary generated and translated by AI from the official description.
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
git · git

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93ehttps://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fxhttps://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/https://security.gentoo.org/glsa/202312-15http://www.openwall.com/lists/oss-security/2023/04/25/2