Software developers around the world are being urged to update their Git software after the discovery of critical security vulnerabilities that could allow remote code execution attacks.
The vulnerabilities, tracked as CVE-2022-39253, CVE-2022-39296, and CVE-2022-39298, were disclosed on November 16, 2022 by Microsoft's Threat Intelligence Center. Successful exploitation of these flaws could permit an attacker to remotely run arbitrary code on a targeted system.
According to the vulnerability details, the security holes exist due to insufficient validation of git submodule URLs and paths. This means a malicious git repository could be crafted to trigger the flaws when a user clones or checks out code containing a malicious submodule configuration.
"An attacker who successfully exploited these vulnerabilities could execute arbitrary code with privileges of the user running an affected version of Git," Microsoft warned.
While proof-of-concept exploits have been developed, there are no reports of active exploitation at this time.
All users are advised to update to the latest version of Git for their platform. The issues are addressed in Git version 2.39.1, released November 14, 2022.
Major operating system and Linux distributions have also released updates to address the Git vulnerabilities, so system administrators should ensure they are deploying the necessary patches.
The security flaws serve as an important reminder of the supply chain risks associated with open source software dependencies. Submodules allow Git users to embed a Git repository inside another repository, so a compromised or malicious submodule hosted at a third-party site could be leveraged to attack developers or organizations utilizing the code.
Proper validation and auditing of all Git submodules and dependencies should be a routine part of application security programs.
