Directory Traversal Affecting git package, versions <1:2.30.2-1+deb11u2
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-GIT-3319756
- published 15 Feb 2023
- disclosed 14 Feb 2023
Introduced: 14 Feb 2023
CVE-2023-23946 Open this link in a new tabHow to fix?
Upgrade Debian:11 git to version 1:2.30.2-1+deb11u2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.