Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-41903
CVE-2022-41903:
Git vulnerability analysis and mitigation
Overview
CVE-2022-41903 is a critical security vulnerability discovered in Git that affects versions up to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0. The vulnerability was discovered by Joern Schneeweisz of GitLab and was publicly disclosed on January 17, 2023 (Git Advisory).
Technical details
The vulnerability occurs in the git log command's --format specifier functionality and git archive's export-subst gitattribute feature. When processing padding operators (e.g., %<(, %<|(, %>(, %>>(, or %><(), an integer overflow can occur in pretty.c::formatandpadcommit() where a sizet is improperly stored as an int, and then added as an offset to a subsequent memcpy() call. This vulnerability is tracked as CWE-122 and has been rated as Critical severity (Git Advisory, NVD).
Impact
The integer overflow vulnerability can result in arbitrary heap writes, which may lead to remote code execution. The vulnerability can be triggered directly by a user running commands that invoke the commit formatting machinery (e.g., git log --format=...) or indirectly through git archive via the export-subst mechanism, which expands format specifiers inside files within the repository during a git archive operation (Git Advisory).
Mitigation and workarounds
The vulnerability has been patched in versions v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1 released on January 17, 2023. If upgrading is not immediately possible, users can disable git archive in untrusted repositories by running 'git config --global daemon.uploadArch false'. For git daemon users, it's recommended to disable the archive functionality (Git Advisory).
Community reactions
The vulnerability was discovered through a coordinated effort involving multiple security researchers. The initial fix was authored by Markus Vervier of X41 D-Sec, and the patches were further polished and extended by Patrick Steinhardt of GitLab. The work was sponsored by OSTIF (Open Source Technology Improvement Fund) (Git Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management