CVE-2022-24765: Build software better, together

Impact

This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder C:\.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory.

Git Bash users who set GIT_PS1_SHOWDIRTYSTATE (as recommended in the Pro Git Book) are vulnerable.

Users who installed posh-git are vulnerable simply by starting a PowerShell.

Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in C:\.git\config.

Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.

Patches

The problem has been patched in Git for Windows v2.35.2.

Workarounds

Create the folder .git on all drives where Git commands are run, and remove read/write access from those folders:

mkdir \.git icacls \.git /inheritance:r

Alternatively, define or extend GIT_CEILING_DIRECTORIES to cover the parent directory of the user profile, e.g. C:\Users if the user profile is located in C:\Users\my-user-name.

Credits

Many thanks to 俞晨东 for finding and reporting the vulnerability!

References

• GIT_CEILING_DIRECTORIES
• How to set up a Git-aware Bash prompt, in the Pro Git Book

For more information

CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:H/MI:H/MA:N

If you have any questions or comments about this advisory:

• Open an issue in the Git for Windows project
• For sensitive questions or responsible disclosures, email the Git Security mailing list
• Email the Git project or post to Git for Windows’ Google group.