The maintainers of the Git supply code model management system have launched updates to remediate two important vulnerabilities that could possibly be exploited by a malicious actor to attain distant code execution.
The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the next variations of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
Patched variations embrace v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. X41 D-Sec safety researchers Markus Vervier and Eric Sesterhenn in addition to GitLab’s Joern Schneeweisz have been credited with reporting the bugs.
“The most extreme concern found permits an attacker to set off a heap-based reminiscence corruption throughout clone or pull operations, which could end in code execution,” the German cybersecurity firm stated of CVE-2022-23521.
CVE-2022-41903, additionally a important vulnerability, is triggered throughout an archive operation, resulting in code execution by means of an integer overflow flaw that arises when formatting the commit logs.
“Additionally, an enormous variety of integer associated points was recognized which can result in denial-of-service conditions, out-of-bound reads or just badly dealt with nook instances on giant enter,” X41 D-Sec famous.
While there are not any workarounds for CVE-2022-23521, Git is recommending that customers disable “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in eventualities the place updating to the most recent model is just not an choice.
GitLab, in a coordinated advisory, stated it has launched variations 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) to deal with the shortcomings, urging clients to use the fixes with rapid impact.