NVD

CVE-2022-41903 Detail

Description

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

Severity

CVSS 3.x Severity and Metrics:

CNA: GitHub, Inc.

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: The NVD and the CNA have provided the same score. When this occurs only the CNA information is displayed, but the Acceptance Level icon for the CNA is given a checkmark to signify NVD concurrence.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst	Vendor Advisory
https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem	Vendor Advisory
https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76	Patch Release Notes Third Party Advisory
https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq	Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-190	Integer Overflow or Wraparound	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 1/25/2023 9:32:26 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 945 characters. View Entire Change Record OR cpe:2.3:a:git-scm:git::::::::* versions up to (including) 2.30.6 cpe:2.3:a:git-scm:git::::::::* versions from (including) 2.31.0 up to (including) 2.31.5 cpe:2.3:a:git-scm:git::::::::* versions from (including) 2.32.0 up to (including) 2.32.4 cpe:2.3:a:git-scm:git::::::::* versions from (including) 2.33.0 up to (including) 2.33.5 cpe:2.3:a:git-scm:git::::::::* versions from (including) 2.34.0 up to (including) 2.34.5 *cpe:2
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Changed	Reference Type	https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst No Types Assigned	https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst Vendor Advisory
Changed	Reference Type	https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem No Types Assigned	https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem Vendor Advisory
Changed	Reference Type	https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76 No Types Assigned	https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76 Patch, Release Notes, Third Party Advisory
Changed	Reference Type	https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq No Types Assigned	https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2022-41903
NVD Published Date:
01/17/2023
NVD Last Modified:
01/25/2023
Source:
GitHub, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database