Git For Windows
CVE-2023-25815
LOW
Severity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the gettext() function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path C:\mingw64\share\locale to look for localized messages. And since any authenticated user has the permission to create folders in C:\ (and since C:\mingw64 does not typically exist), it is possible for low-privilege users to place fake messages in that location where git.exe will pick them up in version 2.40.1.
This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a C:\mingw64 folder and leave it empty. Users who have administrative rights may remove the permission to create folders in C:\.
AnalysisAI
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. Rated low severity (CVSS 2.2). This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the gettext() function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path C:\mingw64\share\locale to look for localized messages. And since any authenticated user has the permission to create folders in C:\ (and since C:\mingw64 does not typically exist), it is possible for low-privilege users to place fake messages in that location where git.exe will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a C:\mingw64 folder and leave it empty. Users who have administrative rights may remove the permission to create folders in C:\. Affected products include: Git For Windows Project Git For Windows, Fedoraproject Fedora. Version information: version 2.40.1..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Git For Windows
View allUntrusted search path vulnerability in Git 1.x for Windows allows local users to gain privileges via a Trojan horse git.
Git for Windows is the Windows port of Git. Rated high severity (CVSS 7.8), this vulnerability is no authentication requ
Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy
Git for Windows is the Windows port of the revision control system Git. Rated high severity (CVSS 7.8), this vulnerabili
GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account. Rated high seve
Git for Windows is the Windows port of the revision control system Git. Rated high severity (CVSS 7.3), this vulnerabili
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today