Unrated severityNVD Advisory· Published Apr 25, 2023· Updated Nov 4, 2025
Arbitrary configuration injection via `git submodule deinit`
CVE-2023-29007
Description
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.
Affected products
60- osv-coords59 versionspkg:apk/chainguard/gitpkg:apk/chainguard/git-completionpkg:apk/chainguard/git-daemonpkg:apk/chainguard/git-docpkg:apk/chainguard/git-emailpkg:apk/chainguard/git-iamguarded-compatpkg:apk/chainguard/git-p4pkg:apk/wolfi/gitpkg:apk/wolfi/git-completionpkg:apk/wolfi/git-daemonpkg:apk/wolfi/git-docpkg:apk/wolfi/git-emailpkg:apk/wolfi/git-iamguarded-compatpkg:apk/wolfi/git-p4pkg:rpm/almalinux/gitpkg:rpm/almalinux/git-allpkg:rpm/almalinux/git-corepkg:rpm/almalinux/git-core-docpkg:rpm/almalinux/git-credential-libsecretpkg:rpm/almalinux/git-daemonpkg:rpm/almalinux/git-emailpkg:rpm/almalinux/git-guipkg:rpm/almalinux/git-instawebpkg:rpm/almalinux/gitkpkg:rpm/almalinux/git-subtreepkg:rpm/almalinux/git-svnpkg:rpm/almalinux/gitwebpkg:rpm/almalinux/perl-Gitpkg:rpm/almalinux/perl-Git-SVNpkg:rpm/opensuse/git&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/git&distro=openSUSE%20Tumbleweedpkg:rpm/suse/git&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/git&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/git&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/git&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/git&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/git&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.40.1-r0+ 58 more
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.40.1-r0
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.39.3-1.el9_2
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.40.1-1.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.26.2-150000.50.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.35.3-150300.10.27.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
- (no CPE)range: < 2.26.2-27.69.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txtmitrex_refsource_MISC
- github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4mitrex_refsource_MISC
- github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/mitre
- security.gentoo.org/glsa/202312-15mitre
News mentions
0No linked articles in our index yet.