CVE-2022-39253 : Security Advisory and Response

Git subject to exposure of sensitive information via local clone of symbolic links.

Understanding CVE-2022-39253

Git versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor through a local clone of symbolic links.

What is CVE-2022-39253?

Git's vulnerability allows a malicious actor to expose sensitive information during a local clone through symbolic links, affecting versions prior to specific releases that have now been patched.

The Impact of CVE-2022-39253

The vulnerability could lead to exposure of sensitive data to unauthorized actors, potentially compromising confidentiality.

Technical Details of CVE-2022-39253

Vulnerability Description

When a local clone is performed in Git, the contents of the source's

$GIT_DIR/objects

directory can be copied, including sensitive information, through symbolic links.

Affected Systems and Versions

Git versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are affected by this vulnerability.

Exploitation Mechanism

A malicious actor could trick a victim into cloning a repository with a symbolic link pointing at sensitive information on the victim's machine.

Mitigation and Prevention

Immediate Steps to Take

Avoid cloning untrusted repositories using the

--local

optimization on shared machines. Consider passing the

--no-local

option to

git clone

or using the

file://

scheme for URLs.

Long-Term Security Practices

Exercise caution when cloning from untrusted sources. Refrain from using

--recurse-submodules

or enable

git config --global protocol.file.allow user

.

Patching and Updates

Ensure Git is updated to versions published on 2022-10-18 or backported to v2.30.x to mitigate the vulnerability effectively.