Directory Traversal Affecting git-core package, versions <2.35.3-150300.10.24.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES154-GITCORE-3322376
- published 16 Feb 2023
- disclosed 15 Feb 2023
Introduced: 15 Feb 2023
CVE-2023-23946 Open this link in a new tabHow to fix?
Upgrade SLES:15.4 git-core to version 2.35.3-150300.10.24.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream git-core package and not the git-core package as distributed by SLES.
See How to fix? for SLES:15.4 relevant fixed versions and status.
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.