The maintainers of the Git supply code model management system have launched updates to remediate two essential vulnerabilities that might be exploited by a malicious actor to realize distant code execution.
The issues, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the next variations of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
Patched variations embody v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. X41 D-Sec safety researchers Markus Vervier and Eric Sesterhenn in addition to GitLab’s Joern Schneeweisz have been credited with reporting the bugs.
“Probably the most extreme concern found permits an attacker to set off a heap-based reminiscence corruption throughout clone or pull operations, which could lead to code execution,” the German cybersecurity firm stated of CVE-2022-23521.
CVE-2022-41903, additionally a essential vulnerability, is triggered throughout an archive operation, resulting in code execution by means of an integer overflow flaw that arises when formatting the commit logs.
“Moreover, an enormous variety of integer associated points was recognized which can result in denial-of-service conditions, out-of-bound reads or just badly dealt with nook instances on massive enter,” X41 D-Sec famous.
Whereas there aren’t any workarounds for CVE-2022-23521, Git is recommending that customers disable “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in situations the place updating to the newest model shouldn’t be an choice.
GitLab, in a coordinated advisory, stated it has launched variations 15.7.5, 15.6.6, and 15.5.9 for GitLab Neighborhood Version (CE) and Enterprise Version (EE) to handle the shortcomings, urging prospects to use the fixes with rapid impact.