Unrated severityNVD Advisory· Published Jul 12, 2022· Updated Aug 3, 2024

Bypass of safe.directory protections in Git

CVE-2022-29187

Description

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Affected products

osv-coords79 versions
pkg:rpm/almalinux/git pkg:rpm/almalinux/git-all pkg:rpm/almalinux/git-core pkg:rpm/almalinux/git-core-doc pkg:rpm/almalinux/git-credential-libsecret pkg:rpm/almalinux/git-daemon pkg:rpm/almalinux/git-email pkg:rpm/almalinux/git-gui pkg:rpm/almalinux/git-instaweb pkg:rpm/almalinux/gitk pkg:rpm/almalinux/git-subtree pkg:rpm/almalinux/git-svn pkg:rpm/almalinux/gitweb pkg:rpm/almalinux/perl-Git pkg:rpm/almalinux/perl-Git-SVN pkg:rpm/opensuse/git&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/git&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/git&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/libgit2&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/libgit2&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/libgit2&distro=openSUSE%20Tumbleweed pkg:rpm/suse/git&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/git&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/git&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/git&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/git&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/git&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/libgit2&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/libgit2&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3 pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/libgit2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Server%20Module%204.1 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Server%20Module%204.2 pkg:rpm/suse/libgit2&distro=SUSE%20Manager%20Server%20Module%204.3
< 2.39.1-1.el9+ 78 more
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.39.1-1.el9
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.37.1-1.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 1.3.0-150400.3.3.1
- (no CPE)range: < 1.7.1-3.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.35.3-150300.10.15.1
- (no CPE)range: < 2.35.3-150300.10.15.1
- (no CPE)range: < 2.35.3-150300.10.15.1
- (no CPE)range: < 2.35.3-150300.10.15.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-150000.41.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 2.26.2-27.57.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 1.3.0-150400.3.3.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.26.8-150000.3.15.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
- (no CPE)range: < 0.28.4-150200.3.3.1
Git/Gitv5
Range: >= 2.30.3, < 2.30.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/mitrevendor-advisory
security.gentoo.org/glsa/202312-15mitrevendor-advisory
security.gentoo.org/glsa/202401-17mitrevendor-advisory
seclists.org/fulldisclosure/2022/Nov/1mitremailing-list
www.openwall.com/lists/oss-security/2022/07/14/1mitremailing-list
lists.debian.org/debian-lts-announce/2022/12/msg00025.htmlmitremailing-list
github.blog/2022-04-12-git-security-vulnerability-announcedmitre
github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3vmitre
lore.kernel.org/git/xmqqv8s2fefi.fsf%40gitster.g/T/mitre
support.apple.com/kb/HT213496mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000