Git allows arbitrary code execution through broken config quoting
Description
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
52- osv-coords50 versionspkg:bitnami/gitpkg:rpm/almalinux/gitpkg:rpm/almalinux/git-allpkg:rpm/almalinux/git-corepkg:rpm/almalinux/git-core-docpkg:rpm/almalinux/git-credential-libsecretpkg:rpm/almalinux/git-daemonpkg:rpm/almalinux/git-emailpkg:rpm/almalinux/git-guipkg:rpm/almalinux/git-instawebpkg:rpm/almalinux/gitkpkg:rpm/almalinux/git-subtreepkg:rpm/almalinux/git-svnpkg:rpm/almalinux/gitwebpkg:rpm/almalinux/perl-Gitpkg:rpm/almalinux/perl-Git-SVNpkg:rpm/opensuse/git&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/git&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/git-lfs&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/obs-scm-bridge&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-PyYAML&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/git&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/git&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/git&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/git&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/git&distro=SUSE%20Manager%20Proxy%20LTS%204.3pkg:rpm/suse/git&distro=SUSE%20Manager%20Server%20LTS%204.3pkg:rpm/suse/git-lfs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/git-lfs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/obs-scm-bridge&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/obs-scm-bridge&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7pkg:rpm/suse/python-PyYAML&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-PyYAML&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7
< 2.50.1+ 49 more
- (no CPE)range: < 2.50.1
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.47.3-1.el9_6
- (no CPE)range: < 2.51.0-150600.3.12.1
- (no CPE)range: < 2.50.1-1.1
- (no CPE)range: < 3.7.0-150600.13.3.1
- (no CPE)range: < 0.7.4-150600.14.4.1
- (no CPE)range: < 6.0.2-150600.10.3.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.51.0-150600.3.12.1
- (no CPE)range: < 2.51.0-150600.3.12.1
- (no CPE)range: < 2.51.0-150600.3.12.1
- (no CPE)range: < 2.51.0-150600.3.12.1
- (no CPE)range: < 2.26.2-27.81.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.26.2-27.81.1
- (no CPE)range: < 2.51.0-1.1
- (no CPE)range: < 2.51.0-slfo.1.1_1.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 2.43.7-150300.10.51.1
- (no CPE)range: < 3.7.0-150600.13.3.1
- (no CPE)range: < 3.7.0-150600.13.3.1
- (no CPE)range: < 0.7.4-150600.14.4.1
- (no CPE)range: < 0.7.4-150600.14.4.1
- (no CPE)range: < 6.0.2-150600.10.3.1
- (no CPE)range: < 6.0.2-150600.10.3.1
Patches
Vulnerability mechanics
References
1- github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.