Cyber Resilience

CVE-2022-41903

Critical

Published: 17 January 2023

Published
17 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1780 95.3th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41903 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Git-Scm Git. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Git is affected by an integer overflow vulnerability in its commit formatting logic, specifically within the `pretty.c::format_and_pad_commit()` function. The flaw occurs when padding operators in `--format` specifiers are processed: a `size_t` value is incorrectly stored as an `int` and then used as an offset in a `memcpy()` call. This issue impacts both direct use of `git log --format=...` and indirect triggering via `git archive` when the `export-subst` gitattribute expands format specifiers inside repository files. The vulnerability was assigned CVE-2022-41903 with a CVSS score of 9.8 and is tracked under CWE-190.

An attacker can exploit the flaw by supplying malicious format specifiers, either directly through command-line invocation or by placing crafted `export-subst` attributes in a repository that a victim archives. Successful exploitation results in arbitrary heap writes that may lead to arbitrary code execution. No special privileges are required, and the attack can be performed over a network without user interaction.

Advisories and patches released on 2023-01-17 address the issue in Git versions back to v2.30.7. Users are instructed to upgrade immediately. Those unable to upgrade should disable `git archive` in untrusted repositories or set `git config --global daemon.uploadArch false` when exposing the service via `git daemon`.

The EPSS score reached a peak of 0.2573 before receding to its current value of 0.1780, indicating some post-disclosure interest in exploitation.

EU & UK References

Vulnerability details

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer…

more

overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

git-scm
git
2.39.0 · ≤ 2.30.6 · 2.31.0 — 2.31.5 · 2.32.0 — 2.32.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References