Threat Advisory

Git Vulnerabilities
v2 (002)

April 15, 2022 | By Accorian

Two new security vulnerabilities have recently been identified in Git. These vulnerabilities are only exploitable if Git is used on a Windows instance or a multi-user machine. Both of the vulnerabilities have been assigned a separate CVE namely CVE-2022-24765 and CVE-2022-24767. 

1. CVE-2022-24765: The vulnerability if exploited could lead to a potential arbitrary code execution attack. Users using Git on multi-user Windows machines are at the highest risk. As the attacker can create a .git directory, and then cause git invocations to occur outside of the repository. Few variables like core.fsmonitor have capabilities to execute commands, thus leading to arbitrary code execution attacks.

2. CVE-2022-24767: This vulnerability is only exploitable on Git for Windows uninstaller, which runs in the temporary directory of the user. Any authenticated user can inject a malicious .dll file as the C:\Windows\Temp directory is world-writable. As the SYSTEM user inherits permissions of the Temp directory, the malicious DLLs when loaded are run via the SYSTEM account. 

Both these vulnerabilities have been addressed in the latest update of Git, which is Git v2.35.2. Users are advised to apply these updates as soon as possible to prevent any exploitation. Additionally, Git has also released some compensatory controls to reduce the risk if immediate upgradation is not possible. 

Kindly refer to the official Git document here(https://github.blog/2022-04-12-git-security-vulnerability-announced/) to understand the fixes and compensatory controls. 

Accorian is always available to assist all its clients. Please feel free to reach out to us at Alert@accorian.com,  if you have any questions.Source: https://github.blog/2022-04-12-git-security-vulnerability-announced/.

Recent Post

    Ready to Start?

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to joinourteam@accorian.com

        Interested Position
        First Name
        Last Name
        Email
        Total Experience
        Mobile Number
        Upload Resume