[Nulled] » Information security » Git has fixed two critical vulnerabilities that could allow attackers to execute RCE
January 23 2023

Git has fixed two critical vulnerabilities that could allow attackers

Git has fixed two critical vulnerabilities that could allow attackers to execute RCE after successfully exploiting heap-based buffer overflow vulnerabilities.

The third Windows-specific flaw affecting the Git GUI is caused by the vulnerability of an unreliable search path and allows unauthorized attackers to perform low-complexity attacks using unreliable code.

Researchers Eric Sesterhenn and Marcus Vervier from X41, as well as Jorn Schneeweis from GitLab discovered them during an audit of the Git source code commissioned by OSTIF.

The first two vulnerabilities: one CVE-2022-41903 - in the mechanism of formatting commits and CVE-2022-23521 - in the gitattributes parser - have been fixed in new versions starting from 2.30.7.

The third, tracked as CVE-2022-41953, is still awaiting a fix, but users can work around the problem by not using Git GUI software to clone repositories or avoiding cloning from unreliable sources.

The most serious of them allows an attacker to initiate memory corruption in the heap during cloning or extraction, which leads to RCE, and the other allows it during archiving, which is usually performed by Git forgeries.

In addition, quite a lot of problems related to integers have been identified, which can lead to denial of service situations or reading out of bounds.

Users who do not have the ability to update, to protect against threats, you should disable the "git archive" in untrusted repositories or avoid running the command in untrusted repositories.

If the "git archive" is accessible via "git daemon", you must disable it when working with untrusted repositories by running the command "git config --global daemon.uploadArch false".

GitLab insists that the most effective way to protect is to update all installations to the latest version of Git v2.39.1 as soon as possible.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: AdequateSchizo
  • Date of publication: 23 January 2023 12:22
  • Publication category(s): Information security
  • Number of views of the publication: 154
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
The Taiwanese NAS

The Taiwanese NAS manufacturer Synology has eliminated the vulnerability of the maximum (10/10) severity in VPN

Read more
23 January 2023
Information security
RCE vulnerabilities were

RCE vulnerabilities were discovered in TP-Link and NetComm routers. CVE-2022-4498 and CVE-2022-4499 affect TP-Link

Read more
16 January 2023
Information security
The first January ICS

The first January ICS fixes came up with a dozen security recommendations from Siemens and Schneider Electric,

Read more
16 January 2023
Information security
Thousands of Citrix ADC

Thousands of Citrix ADC and Gateway servers remain vulnerable to two major vulnerabilities fixed recently.

Read more
16 January 2023
Information security
Juniper Networks has

Juniper Networks has released the first security recommendations in 2023, which cover more than 230

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +5 Total articles 6750
  • +17 Comments 4231
  • +42 Users : 6061