Critical Git Vulnerabilities Discovered During Source Code Security Audit

Two critical vulnerabilities have been discovered in the popular Git version control system during a source code security audit. The vulnerabilities, CVE-2018-17456 and CVE-2018-17457, could both potentially allow a malicious user to overwrite parts of a Git repository with harmful code. The security audit and research was conducted by Max Justicz, a Computer Science and Mathematics student and software intern at Sourcegraph. Justicz used a static program analysis approach to delve into the workings of Git, with the intention of discovering any unusual or suspicious behaviour. Justicz noted that his search revealed two specific vulnerabilities that could allow a malicious user to craft a malicious version string or environment variable and use it to exploit a vulnerable repository. One of the vulnerabilities was particularly serious, allowing a malicious user to overwrite committed data in a Git repository. The malicious user could insert commands and other harmful code into the vulnerable repository, potentially leading to data theft, data loss, and the ability to execute remote code. Justicz noted that the vulnerabilities impacted a number of popular Git clients, including Command Line, GitHub Desktop, and Atom. Users of these clients should update their clients immediately to ensure that they are not vulnerable. Justicz also warned developers to be careful when using Git, noting that vulnerable code can often be difficult to detect. While static code analysis tools can be used to detect common bugs and vulnerabilities, they may not be able to detect complex or tailored attacks. Git is a popular version control system used by thousands of developers around the world. The discovery of the two critical vulnerabilities highlights the importance of taking a proactive approach to security audits and code reviews.

This Cyber News was published on www.securityweek.com. Publication date: Sun, 22 Jan 2023 10:48:00 +0000


Cyber News related to Critical Git Vulnerabilities Discovered During Source Code Security Audit

Critical Git Vulnerabilities Discovered During Source Code Security Audit - Two critical vulnerabilities have been discovered in the popular Git version control system during a source code security audit. The vulnerabilities, CVE-2018-17456 and CVE-2018-17457, could both potentially allow a malicious user to overwrite parts ...
1 year ago Securityweek.com
Auditing Kubernetes with Open Source SIEM and XDR - Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit ...
1 year ago Thehackernews.com
CVE-2020-11008 - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open ...
4 years ago
CVE-2022-24765 - Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder ...
11 months ago
Git Security Breach – Critical Flaws Found - Software vulnerabilities are a serious concern for companies and developers. Recently, prominent source code management service Git, has come under scrutiny after two critical vulnerabilities were discovered, which could have been exploited to ...
1 year ago Securityaffairs.com
Critical Git vulnerability allows RCE when cloning repositories with submodules - Git is a widely-popular distributed version control system for collaborative software development. It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions. Web-based software development platforms GitHub and ...
6 months ago Helpnetsecurity.com
CVE-2021-47603 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2022-24826 - On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does ...
2 years ago
Microsoft extends Purview Audit log retention after July breach - Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July. The list of affected organizations included government ...
1 year ago Bleepingcomputer.com
CVE-2021-23632 - All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js ...
2 years ago
Week in review: PoC for Splunk Enterprise RCE flaw released, scope of Okta breach widens - Vulnerability disclosure: Legal risks and ethical considerations for researchersIn this Help Net Security interview, Eddie Zhang, Principal Consultant at Project Black, explores the complex and often controversial world of vulnerability disclosure in ...
1 year ago Helpnetsecurity.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
The First 10 Days of a vCISO’S Journey with a New Client - Cyber Defense Magazine - During this period, the vCISO conducts a comprehensive assessment to identify vulnerabilities, engages with key stakeholders to align security efforts with business objectives, and develops a strategic roadmap to prioritize actions and resources. If ...
2 months ago Cyberdefensemagazine.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
10 months ago Bleepingcomputer.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
10 months ago Bleepingcomputer.com
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
11 months ago Feeds.dzone.com
CVE-2022-41903 - Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding ...
11 months ago
Open Source Password Managers: Overview, Pros & Cons - There are many proprietary password managers on the market for those who want an out-of-the box solution, and then there are open source password managers for those wanting a more customizable option. In this article, we explain how open source ...
8 months ago Techrepublic.com
CVE-2020-26233 - Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, ...
3 years ago
Cybersecurity jobs available right now: October 2, 2024 - Help Net Security - As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to ...
2 months ago Helpnetsecurity.com
Are the Fears about the EU Cyber Resilience Act Justified? - "The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about ...
1 year ago Securityboulevard.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
11 months ago Microsoft.com
Are the Fears About the EU Cyber Resilience Act Justified? - On Wednesday, July 19, the European Parliament voted in favor of a major new legal framework regarding cybersecurity: the Cyber Resilience Act. The act enters murky waters when it comes to open-source software. It typically accounts for 70% to 90% of ...
11 months ago Feeds.dzone.com
Infosec products of the month: May 2024 - The Third-Party Intelligence module combines vendor-specific cyber threat intelligence with cybersecurity posture data from suppliers' tech environments, exposing a critical blind spot for security teams. Synopsys Polaris Assist automates repetitive, ...
6 months ago Helpnetsecurity.com
Dotnet Source Generators in 2024 Part 1: Getting Started - Security Boulevard - While nice, this incurs an execution of any classes marked as a source generator every time something changes in the project (i.e., delete a line of code, add a line of code, make a new file, etc.). As you can imagine, having something running every ...
2 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)