Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-29187

Improper Ownership Management

Published: Jul 12, 2022 | Modified: Jan 14, 2024
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.9 MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
7.8 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-29187
CWEhttps://cwe.mitre.org/data/definitions/282.html

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Weakness

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

Affected Software

Name Vendor Start Version End Version
Git Git-scm 2.30.3 (including) 2.30.5 (excluding)
Git Git-scm 2.31.2 (including) 2.31.4 (excluding)
Git Git-scm 2.32.1 (including) 2.32.3 (excluding)
Git Git-scm 2.33.2 (including) 2.33.4 (excluding)
Git Git-scm 2.34.2 (including) 2.34.4 (excluding)
Git Git-scm 2.35.2 (including) 2.35.4 (excluding)
Git Git-scm 2.36.0 (including) 2.36.2 (excluding)
Git Git-scm 2.37.0 (including) 2.37.1 (excluding)
Red Hat Enterprise Linux 8 RedHat git-0:2.39.1-1.el8 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat git-0:2.31.8-1.el8_6 *
Red Hat Enterprise Linux 9 RedHat git-0:2.39.1-1.el9 *
Git Ubuntu bionic *
Git Ubuntu devel *
Git Ubuntu focal *
Git Ubuntu impish *
Git Ubuntu jammy *
Git Ubuntu kinetic *
Git Ubuntu lunar *
Git Ubuntu mantic *
Git Ubuntu noble *
Git Ubuntu trusty *
Git Ubuntu upstream *
Git Ubuntu xenial *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use