CVE-2022-39253
CVE-2022-39253 is a medium-severity vulnerability in Git-scm Git with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-59.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- EPSS exploit prediction: 1% (68th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-59
- Affected product: Git-scm Git
- Published:
- Last modified:
Description
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
Frequently asked questions
- What is CVE-2022-39253?
- Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
- How severe is CVE-2022-39253?
- CVE-2022-39253 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-39253 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (68th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39253?
- CVE-2022-39253 primarily affects Git-scm Git. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-39253?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-39253 published?
- CVE-2022-39253 was published on 2022-10-19 and last updated on 2026-06-17.
References
- http://seclists.org/fulldisclosure/2022/Nov/1
- http://www.openwall.com/lists/oss-security/2023/02/14/5
- http://www.openwall.com/lists/oss-security/2024/05/14/2
- https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
- https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
- https://security.gentoo.org/glsa/202312-15
- https://support.apple.com/kb/HT213496
Affected products (7)
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.38.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Git-scm Git
- CVE-2022-41903 — Critical (CVSS 9.8): Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format`…
- CVE-2022-23521 — Critical (CVSS 9.8): Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These…
- CVE-2014-9390 — Critical (CVSS 9.8): Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and…
- CVE-2019-1353 — Critical (CVSS 9.8): An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6,…
- CVE-2018-19486 — Critical (CVSS 9.8): Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of…
- CVE-2018-17456 — Critical (CVSS 9.8): Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x…
All CVEs affecting Git-scm Git →
Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities
- CVE-2024-37143 — Critical (CVSS 10.0): Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM…
- CVE-2024-28189 — Critical (CVSS 10.0): Judge0 is an open-source online code execution system. The application uses the UNIX chown command on an untrusted file…
- CVE-2024-28185 — Critical (CVSS 10.0): Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the…
- CVE-2022-22995 — Critical (CVSS 10.0): The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of…
- CVE-2014-4480 — Critical (CVSS 10.0): Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows…
- CVE-2002-2374 — Critical (CVSS 10.0): Unspecified vulnerability in pprosetup in Sun PatchPro 2.0 has unknown impact and attack vectors related to "unsafe use…
Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →