SaaS News Hubb
Advertisement
  • Home
  • News
  • Software Engineering
  • Software Development
  • SAAS Applications
  • Contact Us
No Result
View All Result
  • Home
  • News
  • Software Engineering
  • Software Development
  • SAAS Applications
  • Contact Us
No Result
View All Result
SaaS News Hubb
Home Software Engineering

Git security vulnerability announced | The GitHub Blog

by admin
April 12, 2022
in Software Engineering
0
SHARES
2
VIEWS
Share on FacebookShare on Twitter


Today, the Git project released new versions which address a pair of security vulnerabilities.

GitHub is unaffected by these vulnerabilities. However, you should be aware of them and upgrade your local installation of Git, especially if you are using Git for Windows, or you use Git on a multi-user machine.

CVE-2022-24765

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:.gitconfig, which would cause all git invocations that occur outside of a repository to read its configured values.

Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command
execution when working on a shared machine.

The most effective way to protect against this vulnerability is to upgrade to Git v2.35.2. This version changes Git’s behavior when looking for a top-level .git directory to stop when its directory traversal changes ownership from the current user. (If you wish to make an exception to this behavior, you can use the new multi-valued safe.directory configuration).

If you can’t upgrade immediately, the most effective ways to reduce your risk are the following:

  • Define the GIT_CEILING_DIRECTORIES environment variable to contain the parent directory of your user profile (i.e., /Users on macOS,
    /home on Linux, and C:Users on Windows).
  • Avoid running Git on multi-user machines when your current working directory is not within a trusted repository.

Note that many tools (such as the Git for Windows installation of Git Bash, posh-git, and Visual Studio) run Git commands under the hood. If you are on a multi-user machine, avoid using these tools until you have upgraded to the latest release.

Credit for finding this vulnerability goes to 俞晨东.

[source]

CVE-2022-24767

This vulnerability affects the Git for Windows uninstaller, which runs in the user’s temporary directory. Because the SYSTEM user account inherits the
default permissions of C:WindowsTemp (which is world-writable), any authenticated user can place malicious .dll files which are loaded when
running the Git for Windows uninstaller when run via the SYSTEM account.

The most effective way to protect against this vulnerability is to upgrade to Git for Windows v2.35.2. If you can’t upgrade
immediately, reduce your risk with the following:

  • Avoid running the uninstaller until after upgrading
  • Override the SYSTEM user’s TMP environment variable to a directory which can only be written to by the SYSTEM user
  • Remove unknown .dll files from C:WindowsTemp before running the
    uninstaller
  • Run the uninstaller under an administrator account rather than as the
    SYSTEM user

Credit for finding this vulnerability goes to the Lockheed Martin Red Team.

[source]



Source link

Previous Post

“Your salary shouldn’t be dictated by how good a negotiator you are.” (Ep. 432)

Next Post

Top 10 Insights from Customer Success Executives in 2022

Related Posts

Software Engineering

Crystal balls and clairvoyance: Future proofing in a world of inevitable change

May 19, 2022
Software Engineering

Tell a Compelling Story: Pitch Deck Components That Persuade

May 19, 2022
Software Engineering

Skyflow Privacy and Compliance with Sean Falconer

May 19, 2022
Software Engineering

Building out a managed Kubernetes service is a bigger job than you think

May 18, 2022
Software Engineering

What Is Agile? A Philosophy That Develops Through Practice

May 18, 2022
Software Engineering

Technical Debt With Lee Atchison

May 18, 2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Most Popular

News

Customer Acquisition Strategy for SaaS Companies: A Complete Guide

May 19, 2022
Software Engineering

Crystal balls and clairvoyance: Future proofing in a world of inevitable change

May 19, 2022
Software Engineering

Tell a Compelling Story: Pitch Deck Components That Persuade

May 19, 2022
Software Engineering

Skyflow Privacy and Compliance with Sean Falconer

May 19, 2022
Software Development

Report | Evaluating DevSecOps Tools

May 19, 2022
Software Development

Avoiding Design by Committee

May 19, 2022
SAAS Applications

How AI Changes the Future of Sales and Marketing

May 19, 2022
SAAS Applications

Dynamics 365 CE Edit Filter Criteria Error

May 19, 2022
SAAS Applications

The Beginner’s Guide to SEO for Retailers

May 19, 2022

© 2022 Sass News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy

Navigate Site

  • Home
  • News
  • Software Engineering
  • Software Development
  • SAAS Applications
  • Contact Us

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Software Engineering
  • Software Development
  • SAAS Applications
  • Contact Us