CVE-2022-24765: 
vulnerability analysis and mitigation

CVE-2022-24765 is a security vulnerability discovered in Git for Windows, affecting users working on multi-user machines. The vulnerability was disclosed on April 12, 2022, and affects Git versions up to 2.35.1.2. The issue occurs when untrusted parties have write access to the same hard disk and can create a folder C:.git, which would be picked up by Git operations run outside a repository while searching for a Git directory (GitHub Advisory, NVD).

The vulnerability stems from Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This affects various scenarios including Git Bash users who set GIT_PS1_SHOWDIRTYSTATE, users of posh-git in PowerShell, and IDE users such as Visual Studio. The CVSS v3.1 base score is 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows untrusted parties to create a malicious Git configuration that could be executed when other users perform Git operations. When exploited, attackers could cause other users to execute arbitrary commands through Git configuration settings. This is particularly concerning in environments where multiple users share access to the same system (GitHub Advisory, OSS Security).

The vulnerability was patched in Git for Windows v2.35.2. For users unable to upgrade, two workarounds are available: 1) Create the folder .git on all drives where Git commands are run and remove read/write access from those folders using mkdir .git and icacls .git /inheritance:r, or 2) Define or extend GIT_CEILING_DIRECTORIES to cover the parent directory of the user profile, e.g., C:\Users if the user profile is located in C:\Users\my-user-name (GitHub Advisory).