Cybersecurity researchers from X41 and GitLab have discovered three high-severe vulnerabilities in Git’s distributed version control system.
The researchers said the flaws could have allowed threat actors to run arbitrary code on targeted endpoints by exploiting heap-based buffer overrun vulnerabilities. Of the three flaws, two already have patches lined up, while a workaround is available for the third.
Patched vulnerabilities such as CVE-2022-41903 and CVE-2022-23521 have been tracked. Developers looking to protect their machines should update Git to version 2.30.7. The third instance is tracked as CVE-2022-41953, with the workaround not using the Git GUI to clone the repositories. Another way to stay safe, according to Bleeping Computer, is to avoid cloning from sources that aren’t completely trusted.
Corrections and solutions
“The most critical issue discovered allows an attacker to cause heap-based memory corruption during clone or pull operations, which can lead to code execution. Another critical issue allows code execution during the archiving process, which is typically implemented by Git forges, The researchers said in their explanation of the incident.
“In addition, a large number of integer-related issues have been identified that could lead to denial-of-service cases, out-of-bounds reads, or simply poorly handled corner cases on large inputs.”
> GitLab is scrambling to issue an emergency fix after the password snafu
> GitHub doesn’t want users to identify and shame security flaws anymore
> Check out the best malware protection now
Git has since released two more versions, so to be on the safe side, make sure you’re running the latest version of Git – 2.39.1.
PC Note that those who cannot apply the patch immediately should disable “git archive” on untrusted repositories, or avoid running the command on untrusted repositories. Furthermore, if “git archive” is detected via “git daemon”, users should disable it when working with untrusted repositories. It added that this can be done with the command “git config –global daemon.upladArch false”.
We strongly recommend that all installations running a version of the issue be affected [..] They are upgraded to the latest version as soon as possible,” GitLab warned.
- Here’s our roundup of the best endpoint security services today