CVE-2023-25652: "git apply --reject" partially-controlled arbitrary file write

Published Apr 20, 2023
·
Updated

A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to git apply --reject; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch.

Other sources

CVE-2023-25652 By feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch).

Red Hat

Git could allow a remote attacker to bypass security restrictions. By feeding specially crafted input to git apply --reject, an attacker could exploit this vulnerability to overwrite a path outside the working tree.

IBM

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the .rej file exists.

GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write

Affected Software

29 affected componentsFixes available
redhat/git<0:1.8.3.1-25.el7_9
0:1.8.3.1-25.el7_9
redhat/git<0:2.39.3-1.el8_8
0:2.39.3-1.el8_8
redhat/git<0:2.18.4-3.el8_1
0:2.18.4-3.el8_1
redhat/git<0:2.18.4-4.el8_2
0:2.18.4-4.el8_2
redhat/git<0:2.27.0-4.el8_4
0:2.27.0-4.el8_4
redhat/git<0:2.31.1-4.el8_6
0:2.31.1-4.el8_6
redhat/git<0:2.39.3-1.el9_2
0:2.39.3-1.el9_2
redhat/git<0:2.31.1-5.el9_0
0:2.31.1-5.el9_0
redhat/rh-git227-git<0:2.27.0-6.el7
0:2.27.0-6.el7
Microsoft Visual Studio 2019 (includes 16.0 - 16.10)=16.11
Patch available
Microsoft Visual Studio 2017 (includes 15.0 - 15.8)=15.9
Patch available
debian/git<=1:2.30.2-1+deb11u2
1:2.30.2-1+deb11u41:2.39.5-0+deb12u21:2.47.2-0.11:2.49.0-1
IBM QRadar SIEM<=7.5.0 - 7.5.0 UP6
git-scm Git<2.30.9
git-scm Git>=2.31.0<2.31.8
git-scm Git>=2.32.0<2.32.7
git-scm Git>=2.33.0<2.33.8
git-scm Git>=2.34.0<2.34.8
git-scm Git>=2.35.0<2.35.8
git-scm Git>=2.36.0<2.36.6
git-scm Git>=2.37.0<2.37.7
git-scm Git>=2.38.0<2.38.5
git-scm Git>=2.39.0<2.39.3
git-scm Git=2.40.0
Fedoraproject Fedora=37
Fedoraproject Fedora=38
Microsoft Visual Studio 2022=17.2
Patch available
Microsoft Visual Studio 2022=17.6
Patch available
Microsoft Visual Studio 2022=17.0
Patch available

Remediation

Patch Available

https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902

Patch Available

https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e

Event History

Apr 20, 2023
Data Sourced
via Red Hat·01:46 PM
DescriptionSeverityAffected Software
Apr 25, 2023
CVE Published
12:00 AM
CVE Published
via MITRE·07:17 PM
Data Sourced
via MITRE·07:17 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jun 13, 2023
Data Sourced
07:00 AM
DescriptionSeverityWeakness
Sep 19, 2024
Data Sourced
via Ubuntu·06:34 AM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·06:35 AM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-25652?

CVE-2023-25652 refers to a vulnerability in Git that allows an attacker to overwrite a file outside of the working tree with partially controlled contents.

2

How severe is CVE-2023-25652?

CVE-2023-25652 has a severity rating of high.

3

Which versions of Git are affected by CVE-2023-25652?

The vulnerability affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1.

4

How can I fix CVE-2023-25652?

To fix CVE-2023-25652, you should update Git to version 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1.

5

Where can I find more information about CVE-2023-25652?

You can find more information about CVE-2023-25652 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2023-25652), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189765), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189766).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203