CVE-2023-23618: 
vulnerability analysis and mitigation

Git for Windows, the Windows port of the Git revision control system, was found to have a security vulnerability prior to version 2.39.2. When gitk is run on Windows, it potentially runs executables from the current directory inadvertently, which can be exploited through social engineering to trick users into running untrusted code. The vulnerability was assigned CVE-2023-23618 and was patched in Git for Windows version 2.39.2 released on February 14, 2023 (Git Windows Release).

The vulnerability is classified as a high severity issue with a CVSS v3.1 base score of 8.6 (HIGH). The vulnerability is identified as CWE-426 (Untrusted Search Path). The technical root cause involves gitk's unsafe path lookup behavior on Windows systems, where it could inadvertently execute programs placed in the current working directory. This occurs due to improper handling of executable path resolution in the Tcl script that implements gitk (GitHub Advisory).

If successfully exploited, this vulnerability could allow an attacker to achieve arbitrary code execution with the privileges of the user running gitk. The impact is particularly severe as it could lead to unauthorized access to system resources, data theft, or system compromise through social engineering tactics (GitHub Advisory).

The primary mitigation is to upgrade to Git for Windows version 2.39.2 or later. As a workaround, users should avoid using gitk (or Git GUI's 'Visualize History' functionality) in clones of untrusted repositories. The fix was implemented through a patch that ensures safe path lookup in gitk on Windows (Git Windows Release, GitHub Advisory).