Git Vulnerability Alert | January 2023

Some critical vulnerabilities have been discovered in Git. Here's what you need to know.

Background

On January 17, 2023, security researchers in collaboration with GitLab announced the discovery of critical security flaws. Git is an open-source tool often used by software developers and engineers for version control as they collaborate on code changes. The flaws (CVE-2022-23521 & CVE-2022-41903) may allow a remote, unauthenticated attacker to perform arbitrary code execution on systems running vulnerable versions of Git.

Impact

Attackers may be able to exploit these vulnerabilities to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.

The following table includes the impacted products and versions as well as the corresponding fixed versions.

Package Name

Impacted Version(s)

Fixed Version(s)

git-for-windows

<=2.39.0(2)

>=2.39.1

git

<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

>= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1

Next Steps

  1. Update to the latest version of Git across your organization.
    • The method to do this will vary depending on your operating system and package manager. See here for a general guide.
  2. Other products used with Git may release their own patches or updates, so take inventory of any such products in use and apply patches quickly. One commonly used product is GitLab, which already released patches for both the GitLab Community and GitLab Enterprise editions.

Resources