Two critical vulnerabilities have been discovered in the popular Git version control system during a source code security audit. The vulnerabilities, CVE-2018-17456 and CVE-2018-17457, could both potentially allow a malicious user to overwrite parts of a Git repository with harmful code.
The security audit and research was conducted by Max Justicz, a Computer Science and Mathematics student and software intern at Sourcegraph. Justicz used a static program analysis approach to delve into the workings of Git, with the intention of discovering any unusual or suspicious behaviour.
Justicz noted that his search revealed two specific vulnerabilities that could allow a malicious user to craft a malicious version string or environment variable and use it to exploit a vulnerable repository.
One of the vulnerabilities was particularly serious, allowing a malicious user to overwrite committed data in a Git repository. The malicious user could insert commands and other harmful code into the vulnerable repository, potentially leading to data theft, data loss, and the ability to execute remote code.
Justicz noted that the vulnerabilities impacted a number of popular Git clients, including Command Line, GitHub Desktop, and Atom. Users of these clients should update their clients immediately to ensure that they are not vulnerable.
Justicz also warned developers to be careful when using Git, noting that vulnerable code can often be difficult to detect. While static code analysis tools can be used to detect common bugs and vulnerabilities, they may not be able to detect complex or tailored attacks.
Git is a popular version control system used by thousands of developers around the world. The discovery of the two critical vulnerabilities highlights the importance of taking a proactive approach to security audits and code reviews.
This Cyber News was published on www.securityweek.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000