GHSA-m4ch-rfv5-x5g3: 
Rust vulnerability analysis and mitigation

The git2 and libgit2-sys crates, which are Rust wrappers around the libgit2 C library, were found to have a security vulnerability (CVE-2023-22742) where SSH host keys were not verified by default when establishing SSH connections. This vulnerability affects git2 versions below 0.16.1 and libgit2-sys versions below 0.13.5 and between 0.14.0 and 0.14.2, with the issue being discovered and disclosed on January 20, 2023 (GitHub Advisory, RustSec Advisory).

The vulnerability stems from libgit2's default behavior where it requires the caller to set the certificatecheck field of the gitremote_callbacks structure. Without a configured certificate check callback, the library performs no certificate checking during SSH connections. The issue has a CVSS v3.1 base score of 6.8 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating a network-based attack vector with high attack complexity and no privileges required (GitHub Advisory).

The vulnerability exposes users to potential Man-In-The-Middle (MITM) attacks when establishing SSH connections, as the library fails to validate server SSH keys by default. This could lead to unauthorized access to confidential information and potential integrity breaches during Git operations over SSH (LibGit2 Advisory).

The vulnerability has been patched in git2 version 0.16.1 and libgit2-sys versions 0.14.2 and 0.13.5. The fixes update the underlying libgit2 C library to versions 1.5.1 and 1.4.5 respectively, which implement proper SSH host key verification by default. Users are strongly encouraged to upgrade to these patched versions. For those unable to upgrade immediately, it's crucial to ensure all relevant certificates are manually checked (GitHub Advisory).