The maintainers of the Git supply code variation manage method have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution.
The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the next versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39..
Patched versions include v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. X41 D-Sec security researchers Markus Vervier and Eric Sesterhenn as very well as GitLab’s Joern Schneeweisz have been credited with reporting the bugs.
“The most serious issue found enables an attacker to cause a heap-primarily based memory corruption throughout clone or pull functions, which may outcome in code execution,” the German cybersecurity corporation stated of CVE-2022-23521.
CVE-2022-41903, also a critical vulnerability, is induced during an archive operation, primary to code execution by way of an integer overflow flaw that occurs when formatting the commit logs.
“Also, a massive quantity of integer connected issues was identified which may perhaps guide to denial-of-company cases, out-of-bound reads or basically badly taken care of corner circumstances on huge enter,” X41 D-Sec observed.
Even though there are no workarounds for CVE-2022-23521, Git is recommending that consumers disable “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in eventualities in which updating to the most up-to-date model is not an solution.
GitLab, in a coordinated advisory, reported it has unveiled versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Group Version (CE) and Enterprise Version (EE) to handle the shortcomings, urging clients to apply the fixes with speedy result.
Identified this report interesting? Follow us on Twitter and LinkedIn to read through more special content we write-up.
Some elements of this short article are sourced from: