Cyber Resilience

CVE-2022-23521

Critical

Published: 17 January 2023

Published
17 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0944 93.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23521 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Git-Scm Git. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Git is affected by multiple integer overflow vulnerabilities (CWE-190) in its gitattributes parsing logic. These occur when processing a crafted .gitattributes file containing an extremely large number of path patterns, attributes per pattern, or oversized attribute names. The overflows can produce arbitrary heap reads and writes that may lead to remote code execution. The issue exists in Git’s handling of attributes defined via repository files and was corrected in the coordinated releases published on 2023-01-17, including backports to v2.30.7.

An attacker can supply a malicious .gitattributes file as part of commit history. Because Git does not enforce the 2 KB line-length limit when reading from the index, the overflows can be triggered during normal operations such as clone, checkout, or diff that parse attributes from the index or working tree. Successful exploitation requires no authentication or user interaction and yields full control over the affected process, corresponding to the CVSS 9.8 rating.

Official patches and the Git security advisory GHSA-c738-c5qq-xg89 state there are no workarounds and direct users to upgrade to a patched version. Downstream distributions such as Gentoo have issued corresponding advisories (GLSA-202312-15) that reiterate the same upgrade guidance.

EPSS for the CVE reached a peak of 0.1637 before receding to the current value of 0.0944, indicating measurable post-disclosure exploitation interest that has since declined.

EU & UK References

Vulnerability details

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that…

more

should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

git-scm
git
2.39.0 · ≤ 2.30.6 · 2.31.0 — 2.31.5 · 2.32.0 — 2.32.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References