CVE-2023-29007: Arbitrary configuration injection via `git submodule deinit`

Published Apr 20, 2023
·
Updated

A vulnerability was found in Git. This security flaw occurs when renaming or deleting a section from a configuration file, where certain malicious configuration values may be misinterpreted as the beginning of a new configuration section. This flaw leads to arbitrary configuration injection.

Other sources

CVE-2023-29007 When renaming or deleting a section from a configuration file,certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection.

Red Hat

Git could provide weaker than expected security, caused by a configuration injection flaw. A remote attacker could exploit this vulnerability to launch further attacks on the system.

IBM

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::gitconfigcopyorrenamesectioninfile(). This bug can be used to inject arbitrary configuration into a user's $GITDIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GITDIR/config.

GitHub: CVE-2023-29007 Arbitrary configuration injection via git submodule deinit

Affected Software

30 affected componentsFixes available
redhat/git<0:1.8.3.1-25.el7_9
0:1.8.3.1-25.el7_9
redhat/git<0:2.39.3-1.el8_8
0:2.39.3-1.el8_8
redhat/git<0:2.18.4-3.el8_1
0:2.18.4-3.el8_1
redhat/git<0:2.18.4-4.el8_2
0:2.18.4-4.el8_2
redhat/git<0:2.27.0-4.el8_4
0:2.27.0-4.el8_4
redhat/git<0:2.31.1-4.el8_6
0:2.31.1-4.el8_6
redhat/git<0:2.39.3-1.el9_2
0:2.39.3-1.el9_2
redhat/git<0:2.31.1-5.el9_0
0:2.31.1-5.el9_0
redhat/rh-git227-git<0:2.27.0-6.el7
0:2.27.0-6.el7
Microsoft Visual Studio 2019 (includes 16.0 - 16.10)=16.11
Patch available
Microsoft Visual Studio 2017 (includes 15.0 - 15.8)=15.9
Patch available
debian/git<=1:2.30.2-1+deb11u2
1:2.30.2-1+deb11u41:2.39.5-0+deb12u21:2.47.2-0.11:2.49.0-1
IBM QRadar SIEM<=7.5.0 - 7.5.0 UP6
git-scm Git<2.30.9
git-scm Git>=2.31.0<2.31.8
git-scm Git>=2.32.0<2.32.7
git-scm Git>=2.33.0<2.33.8
git-scm Git>=2.34.0<2.34.8
git-scm Git>=2.35.0<2.35.8
git-scm Git>=2.36.0<2.36.5
git-scm Git>=2.37.0<2.37.7
git-scm Git>=2.38.0<2.38.5
git-scm Git>=2.39.0<2.39.3
git-scm Git=2.40.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
Fedoraproject Fedora=38
Microsoft Visual Studio 2022=17.2
Patch available
Microsoft Visual Studio 2022=17.6
Patch available
Microsoft Visual Studio 2022=17.0
Patch available

Remediation

Patch Available

https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4

Event History

Apr 20, 2023
Data Sourced
via Red Hat·01:56 PM
DescriptionSeverityAffected Software
Apr 25, 2023
CVE Published
12:00 AM
CVE Published
via MITRE·08:09 PM
Data Sourced
via MITRE·08:09 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jun 13, 2023
Data Sourced
07:00 AM
DescriptionSeverityWeakness
Sep 19, 2024
Data Sourced
via Ubuntu·06:34 AM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·06:35 AM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2023-29007?

CVE-2023-29007 is an arbitrary configuration injection vulnerability in Git that allows exploitation via the 'git submodule deinit' command when handling specially crafted .gitmodules files.

2

What is the severity of CVE-2023-29007?

The severity of CVE-2023-29007 is high, with a CVSS score of 7.8.

3

How does CVE-2023-29007 affect Git?

CVE-2023-29007 affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1.

4

How can CVE-2023-29007 be exploited?

CVE-2023-29007 can be exploited by providing a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters when using the 'git submodule deinit' command.

5

Is there a remedy for CVE-2023-29007?

Yes, upgrading Git to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, or 2.40.1 will mitigate the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203