Threat Advisory

Git Vulnerabilities
v2 (002)

April 15, 2022 | By Accorian

Two new security vulnerabilities have recently been identified in Git. These vulnerabilities are only exploitable if Git is used on a Windows instance or a multi-user machine. Both of the vulnerabilities have been assigned a separate CVE namely CVE-2022-24765 and CVE-2022-24767. 

1. CVE-2022-24765: The vulnerability if exploited could lead to a potential arbitrary code execution attack. Users using Git on multi-user Windows machines are at the highest risk. As the attacker can create a .git directory, and then cause git invocations to occur outside of the repository. Few variables like core.fsmonitor have capabilities to execute commands, thus leading to arbitrary code execution attacks.

2. CVE-2022-24767: This vulnerability is only exploitable on Git for Windows uninstaller, which runs in the temporary directory of the user. Any authenticated user can inject a malicious .dll file as the C:\Windows\Temp directory is world-writable. As the SYSTEM user inherits permissions of the Temp directory, the malicious DLLs when loaded are run via the SYSTEM account. 

Both these vulnerabilities have been addressed in the latest update of Git, which is Git v2.35.2. Users are advised to apply these updates as soon as possible to prevent any exploitation. Additionally, Git has also released some compensatory controls to reduce the risk if immediate upgradation is not possible. 

Kindly refer to the official Git document here(https://github.blog/2022-04-12-git-security-vulnerability-announced/) to understand the fixes and compensatory controls. 

Accorian is always available to assist all its clients. Please feel free to reach out to us at Alert@accorian.com,  if you have any questions.Source: https://github.blog/2022-04-12-git-security-vulnerability-announced/.

Recent Post

    Ready to Start?



      Ready to Start?



        Download Case study




          Download Guide




          Human Resources Director

          Posted On: 09 May, 2022

          Drop your CVs to joinourteam@accorian.com

            Interested Position

            First Name

            Last Name

            Email

            Total Experience

            Mobile Number

            Upload Resume