CVE-2022-29187: Bypass of safe.directory protections in Git

Q: What is CVE-2022-29187?

CVE-2022-29187 is a vulnerability in Git that allows for privilege escalation in all platforms.

Q: How does CVE-2022-29187 affect Git?

CVE-2022-29187 affects Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5.

Q: What is the severity of CVE-2022-29187?

CVE-2022-29187 has a severity rating of high (7 out of 10).

Q: How can I fix CVE-2022-29187?

To fix CVE-2022-29187, update Git to version 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, or 2.30.5.

Q: Where can I find more information about CVE-2022-29187?

You can find more information about CVE-2022-29187 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2022-29187) and the NVD database (https://nvd.nist.gov/vuln/detail/CVE-2022-29187).

Published Jul 12, 2022

Updated

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This issue allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.

Other sources

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Git. Multiple issues were addressed by updating to git version 2.32.3.

— Apple

Credit

Carlo Marcelo Arenas Belón, Johannes Schindelin

Affected Software

23 affected componentsFixes available

redhat/git<0:2.39.1-1.el8

0:2.39.1-1.el8

redhat/git<0:2.39.1-1.el9

0:2.39.1-1.el9

redhat/git<2.30.5

2.30.5

redhat/git<2.31.4

2.31.4

redhat/git<2.32.3

2.32.3

redhat/git<2.33.4

2.33.4

redhat/git<2.34.4

2.34.4

redhat/git<2.35.4

2.35.4

redhat/git<2.36.2

2.36.2

redhat/git<2.37.1

2.37.1

Apple Xcode<14.1

14.1

git-scm Git>=2.30.3<2.30.5

git-scm Git>=2.31.2<2.31.4

git-scm Git>=2.32.1<2.32.3

git-scm Git>=2.33.2<2.33.4

git-scm Git>=2.34.2<2.34.4

git-scm Git>=2.35.2<2.35.4

git-scm Git>=2.37.0<2.37.1

Fedoraproject Fedora=35

Fedoraproject Fedora=36

Fedoraproject Fedora=37

Apple Xcode<14.1

Debian Debian Linux=10.0

Event History

Jul 12, 2022

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Frequently Asked Questions

What is CVE-2022-29187?

CVE-2022-29187 is a vulnerability in Git that allows for privilege escalation in all platforms.

How does CVE-2022-29187 affect Git?