Git patches two critical remote code execution security flaws

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Cybersecurity researchers from X41 and GitLab has discovered three high-severity vulnerabilities in the Git distributed version control system.

The flaws could have allowed threat actors to run arbitrary code on target endpoints by exploiting heap-based buffer overflow vulnerabilities, the researchers said. Of the three flaws, two already have patches lined up, while a workaround is available for the third one.

The two vulnerabilities that were patched are tracked as CVE-2022-41903 and CVE-2022-23521. Developers looking to protect their devices should update Git to version 2.30.7. The third one is tracked as CVE-2022-41953, with the workaround being not using the Git GUI software to clone repositories. Another way to stay safe, according to BleepingComputer, is to avoid cloning from untrusted sources altogether.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Patches and workarounds

"The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges," the researchers said in their explanation of the incident.

"Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input."

Git has since released a couple of additional versions, so to be on the safe side, make sure you’re running the latest version of Git - 2.39.1.

BleepingComputer notes that those that cannot apply the patch immediately should disable “git archive” in untrusted repositories, or avoid running the command on untrusted repositories. Furthermore, if “git archive” is exposed via “git daemon”, users should disable it when working with untrusted depositories. This can be done through the “git config –global daemon.upladArch false” command, it said.

"We strongly recommend that all installations running a version affected by the issues [..] are upgraded to the latest version as soon as possible," GitLab warned.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Shadowed hands on a digital background reaching for a login prompt.
This worrying Git flaw could lead to users leaking credentials
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Top file synchronization tool Rsync security flaws mean up to 660,000 servers possibly affected
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC