CVE-2022-41953: 
Git vulnerability analysis and mitigation

Git GUI, a graphical tool bundled with Git for Windows, contains a critical vulnerability (CVE-2022-41953) that could allow remote code execution. The vulnerability affects versions <=2.39.0(2) and was patched in version >=2.39.1. The issue stems from Git GUI's automatic post-processing of cloned repositories, where it attempts to run a spell checker called aspell.exe. Due to Tcl's design on Windows, the search path for executables always includes the current directory, allowing malicious repositories to execute arbitrary code through a crafted aspell.exe file (GHSA Advisory).

The vulnerability occurs during Git GUI's repository cloning process. After completing a local clone, Git GUI automatically performs post-processing operations, including running a spell checker. Due to Tcl/Tk's implementation on Windows, when searching for executables, the current directory is always included in the search path. This behavior allows a malicious repository to include an aspell.exe file in its top-level directory, which would be executed automatically without user inspection. The vulnerability has been assigned a CVSS score of 8.6 (High), with attack vector being Local, attack complexity Low, and requiring user interaction (CERT EU, GHSA Advisory).

The vulnerability allows attackers to achieve remote code execution on the target system when a user clones a malicious repository using Git GUI. This can lead to unauthorized access, data theft, and system compromise with the same privileges as the user running Git GUI (Help Net Security).

Users are advised to upgrade to Git for Windows version 2.39.1 or later which contains the fix. As a workaround, users should avoid using Git GUI for cloning repositories, or at minimum, avoid cloning from untrusted sources. The fix was implemented in commit 91b0797 and was also submitted as a pull request to the git-gui repository (GHSA Advisory).