CVE-2023-25652

Publication date 25 April 2023

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
git	23.04 lunar	Fixed 1:2.39.2-1ubuntu1.1
	22.10 kinetic	Fixed 1:2.37.2-1ubuntu1.5
	22.04 LTS jammy	Fixed 1:2.34.1-1ubuntu1.9
	20.04 LTS focal	Fixed 1:2.25.1-1ubuntu3.11
	18.04 LTS bionic	Fixed 1:2.17.1-1ubuntu0.18
	16.04 LTS xenial	Fixed 1:2.7.4-0ubuntu1.10+esm7 Ubuntu Pro
	14.04 LTS trusty	Ignored end of standard support

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

USN-6050-1
Git vulnerabilities
1 May 2023

USN-6050-2
Git vulnerabilities
17 May 2023

Other references

https://www.cve.org/CVERecord?id=CVE-2023-25652