FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

git -- Local clone-based data exfiltration with non-local transports

Affected packages
git < 2.39.2

Details

VuXML ID 9548d6ed-b1da-11ed-b0f4-002590f2a714
Discovery 2023-02-14
Entry 2023-02-21

git team reports:

Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.

These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

References

CVE Name CVE-2023-22490
URL https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/#cve-2023-22490