CVE-2022-41903
Published: 17 January 2023
Summary
CVE-2022-41903 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Git-Scm Git. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Git is affected by an integer overflow vulnerability in its commit formatting logic, specifically within the `pretty.c::format_and_pad_commit()` function. The flaw occurs when padding operators in `--format` specifiers are processed: a `size_t` value is incorrectly stored as an `int` and then used as an offset in a `memcpy()` call. This issue impacts both direct use of `git log --format=...` and indirect triggering via `git archive` when the `export-subst` gitattribute expands format specifiers inside repository files. The vulnerability was assigned CVE-2022-41903 with a CVSS score of 9.8 and is tracked under CWE-190.
An attacker can exploit the flaw by supplying malicious format specifiers, either directly through command-line invocation or by placing crafted `export-subst` attributes in a repository that a victim archives. Successful exploitation results in arbitrary heap writes that may lead to arbitrary code execution. No special privileges are required, and the attack can be performed over a network without user interaction.
Advisories and patches released on 2023-01-17 address the issue in Git versions back to v2.30.7. Users are instructed to upgrade immediately. Those unable to upgrade should disable `git archive` in untrusted repositories or set `git config --global daemon.uploadArch false` when exposing the service via `git daemon`.
The EPSS score reached a peak of 0.2573 before receding to its current value of 0.1780, indicating some post-disclosure interest in exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-45041
Vulnerability details
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer…
more
overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.