Cybersecurity researchers from X41, GitLab discovered three critical vulnerabilities in Git’s distributed version control system.
Researchers claimed that the flaws could have been exploited heap-based buffer overrun vulnerabilities to allow threat actors to execute arbitrary code on targeted endspoints. Two of the three flaws are already covered by patches, while a workaround exists for the third.
CVE-2022-241903 and CVE-2022-242351 have been identified as patches. developers(Opens in new tab)Git version 2.30.7 is recommended for those who want to protect their computers. CVE-20222-41953 is the number for the third instance. This workaround does not require you to use the Git GUI to clone repositories. BleepingComputer recommends that you do not clone repositories from sources that are not completely trusted.
Corrections and solutions
“The most critical issue discovered allows an attacker to cause heap-based memory corruption during clone or pull operations, which can lead to code execution. Another critical issue is code execution in the archiving process. This is typically implemented by Gitforges, according to The Researchers He said(Opens in new tab)They differ in their interpretation of what happened.
“Integer-related issues were also identified that could lead into denial of service cases, out-of–range reads, or poorly handled corner case on large inputs.”
Git has released two additional versions since then. To be safe, make sure that you are running the most recent Git version – 2.39.1.
PCIt is important to note that users who are unable to apply the patch immediately should disable “git archives” on untrusted repositoryes or avoid running the command. Users should also disable “git archive” when working with untrusted repositories if it is detected via “git Daemon”. It added that this can be done with the command “git config –global daemon.upladArch false”.
We recommend that all installations running the issue version be affected [..] to the latest version as soon as possible,” GitLab warned(Opens in new tab).
via: PC(Opens in new tab)
[Denial of responsibility! reporterbyte.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – reporterbyte.com The content will be deleted within 24 hours.]