Headline
CVE-2023-23618: gitk can inadvertently call executables in the worktree
Git for Windows is the Windows port of the revision control system Git. Prior to Git for Windows version 2.39.2, when gitk is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code. A patch is available in version 2.39.2. As a workaround, avoid using gitk (or Git GUI’s “Visualize History” functionality) in clones of untrusted repositories.
Affected versions
<=2.39.1
Description
Impact
When gitk is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited with some social engineering to trick users into running untrusted code.
Patches
- 3650ca5
Workarounds
Avoid using gitk (or Git GUI’s “Visualize History” functionality) in clones of untrusted repositories.
References
- Tcl’s exec function documentation
- Related advisory for Git GUI
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weaknesses