Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Git security vulnerabilities prompt updates

It’s time for developers to update their local Git installations following the discovery of a brace of vulnerabilities.

The worst of the two flaws (CVE-2022-24765) carries the potential of allowing an attacker to execute arbitrary commands.

Developers using Git for Windows or Git on a multi-user machine are most at risk, as an advisory by GitHub explains:

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.

Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine.”

Software developers are advised to upgrade their systems to Git v2.35.2 in order to guard against potential attacks, which would rely on an attacker first gaining write access on a targeted system.

Developers who use Git on Linux or macOS are also affected by the CVE-2022-24765 flaw, albeit to a lesser extent. Patching in all cases is the recommended course of action but short of this, various mitigations are available, as detailed in GitHub’s advisory.

A second vulnerability (CVE-2022-24767) is limited to the Git for Windows uninstaller. As with the previous flaw, some level of compromised access is a prerequisite to potential attacks, as GitHub’s advisory explains.

Attacks would rely on planting malicious .dll files on a targeted system.

Users are advised to update to Git for Windows v2.35.2 but, again, a number of temporary mitigations offer a viable alternative.

Credit for discovering the vulnerability was given to Lockheed Martin’s red team.

GitHub offers a centralized location for Git repositories, hence its role in flagging up the requirement for software updates.

Source: https://portswigger.net/daily-swig/git-security-vulnerabilities-prompt-updates

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts. This campaign utilizes a combination of repository...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO