CVE-2023-25652
- Source
- https://cve.org/CVERecord?id=CVE-2023-25652
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25652.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-25652
- Aliases
-
- GHSA-2hvf-7c8p-28fx
- Downstream
- Related
- Published
- 2023-04-25T19:17:35.315Z
- Modified
- 2026-06-25T04:03:32.761105291Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- "git apply --reject" partially-controlled arbitrary file write
- Details
-
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to
git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid usinggit applywith--rejectwhen applying patches from an untrusted source. Usegit apply --statto inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the*.rejfile exists. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25652.json", "cwe_ids": [ "CWE-22" ], "cna_assigner": "GitHub_M" }- References
-
- http://www.openwall.com/lists/oss-security/2023/04/25/2
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25652.json
- https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
- https://nvd.nist.gov/vuln/detail/CVE-2023-25652
- https://security.gentoo.org/glsa/202312-15
- https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
- https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
Affected packages
Git / github.com/git/git
Affected ranges
- Type
- GIT
- Repo
- https://github.com/git/git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixed
- Database specific
{ "source": [ "CPE_RANGE", "CPE_STRING", "REFERENCES" ], "cpe": [ "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "cpe:2.3:a:git-scm:git:2.40.0:*:*:*:*:*:*:*" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "2.30.9" }, { "last_affected": "2.40.0" }, { "introduced": "2.31.0" }, { "fixed": "2.31.8" }, { "introduced": "2.32.0" }, { "fixed": "2.32.7" }, { "introduced": "2.33.0" }, { "fixed": "2.33.8" }, { "introduced": "2.34.0" }, { "fixed": "2.34.8" }, { "introduced": "2.35.0" }, { "fixed": "2.35.8" }, { "introduced": "2.36.0" }, { "fixed": "2.36.6" }, { "introduced": "2.37.0" }, { "fixed": "2.37.7" }, { "introduced": "2.38.0" }, { "fixed": "2.38.5" }, { "introduced": "2.39.0" }, { "fixed": "2.39.3" } ] }
Affected versions
v0.*
v0.99
v0.99.1
v0.99.2
v0.99.3
v0.99.4
v0.99.5
v0.99.6
v0.99.7
v0.99.8
v0.99.8a
v0.99.8b
v0.99.8c
v0.99.8d
v0.99.8e
v0.99.8f
v0.99.8g
v0.99.9a
v0.99.9b
v0.99.9c
v0.99.9d
v0.99.9e
v0.99.9f
v0.99.9g
v0.99.9h
v0.99.9i
v0.99.9j
v0.99.9k
v0.99.9l
v0.99.9m
v0.99.9n
v1.*
v1.0.0
v1.0rc1
v1.0rc2
v1.0rc3
v1.0rc4
v1.0rc5
v1.0rc6
v1.1.0
v1.2.0
v1.3.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.4
v1.4.4-rc1
v1.4.4-rc2
v1.4.4.1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.5.1
v1.5.1-rc1
v1.5.1-rc2
v1.5.1-rc3
v1.5.2
v1.5.2-rc0
v1.5.2-rc1
v1.5.2-rc2
v1.5.2-rc3
v1.5.3
v1.5.3-rc0
v1.5.3-rc1
v1.5.3-rc2
v1.5.3-rc3
v1.5.3-rc4
v1.5.3-rc5
v1.5.3-rc6
v1.5.3-rc7
v1.5.3.1
v1.5.4
v1.5.4-rc0
v1.5.4-rc1
v1.5.4-rc2
v1.5.4-rc3
v1.5.4-rc4
v1.5.4-rc5
v1.5.5
v1.5.5-rc0
v1.5.5-rc1
v1.5.5-rc2
v1.5.5-rc3
v1.5.6
v1.5.6-rc0
v1.5.6-rc1
v1.5.6-rc2
v1.5.6-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.6.1
v1.6.1-rc1
v1.6.1-rc2
v1.6.1-rc3
v1.6.1-rc4
v1.6.2
v1.6.2-rc0
v1.6.2-rc1
v1.6.2-rc2
v1.6.3
v1.6.3-rc0
v1.6.3-rc1
v1.6.3-rc2
v1.6.3-rc3
v1.6.3-rc4
v1.6.4
v1.6.4-rc0
v1.6.4-rc1
v1.6.4-rc2
v1.6.4-rc3
v1.6.5
v1.6.5-rc0
v1.6.5-rc1
v1.6.5-rc2
v1.6.5-rc3
v1.6.6
v1.6.6-rc0
v1.6.6-rc1
v1.6.6-rc2
v1.6.6-rc3
v1.6.6-rc4
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.1
v1.7.1-rc0
v1.7.1-rc1
v1.7.1-rc2
v1.7.10
v1.7.10-rc0
v1.7.10-rc1
v1.7.10-rc2
v1.7.10-rc3
v1.7.10-rc4
v1.7.11
v1.7.11-rc0
v1.7.11-rc1
v1.7.11-rc2
v1.7.11-rc3
v1.7.12
v1.7.12-rc0
v1.7.12-rc1
v1.7.12-rc2
v1.7.12-rc3
v1.7.2
v1.7.2-rc0
v1.7.2-rc1
v1.7.2-rc2
v1.7.2-rc3
v1.7.3
v1.7.3-rc0
v1.7.3-rc1
v1.7.3-rc2
v1.7.3.1
v1.7.4
v1.7.4-rc0
v1.7.4-rc1
v1.7.4-rc2
v1.7.4-rc3
v1.7.5
v1.7.5-rc0
v1.7.5-rc1
v1.7.5-rc2
v1.7.5-rc3
v1.7.6
v1.7.6-rc0
v1.7.6-rc1
v1.7.6-rc2
v1.7.6-rc3
v1.7.7
v1.7.7-rc0
v1.7.7-rc1
v1.7.7-rc2
v1.7.7-rc3
v1.7.8
v1.7.8-rc0
v1.7.8-rc1
v1.7.8-rc2
v1.7.8-rc3
v1.7.8-rc4
v1.7.9
v1.7.9-rc0
v1.7.9-rc1
v1.7.9-rc2
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.8.0-rc2
v1.8.0-rc3
v1.8.1
v1.8.1-rc0
v1.8.1-rc1
v1.8.1-rc2
v1.8.1-rc3
v1.8.2
v1.8.2-rc0
v1.8.2-rc1
v1.8.2-rc2
v1.8.2-rc3
v1.8.3
v1.8.3-rc0
v1.8.3-rc1
v1.8.3-rc2
v1.8.3-rc3
v1.8.4
v1.8.4-rc0
v1.8.4-rc1
v1.8.4-rc2
v1.8.4-rc3
v1.8.4-rc4
v1.8.5
v1.8.5-rc0
v1.8.5-rc1
v1.8.5-rc2
v1.8.5-rc3
v1.9-rc0
v1.9-rc1
v1.9-rc2
v1.9.0
v1.9.0-rc3
v2.*
v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.13.0
v2.13.0-rc0
v2.13.0-rc1
v2.13.0-rc2
v2.14.0
v2.14.0-rc0
v2.14.0-rc1
v2.15.0
v2.15.0-rc0
v2.15.0-rc1
v2.15.0-rc2
v2.16.0
v2.16.0-rc0
v2.16.0-rc1
v2.16.0-rc2
v2.17.0
v2.17.0-rc0
v2.17.0-rc1
v2.17.0-rc2
v2.18.0
v2.18.0-rc0
v2.18.0-rc1
v2.18.0-rc2
v2.19.0
v2.19.0-rc0
v2.19.0-rc1
v2.19.0-rc2
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.20.0
v2.20.0-rc0
v2.20.0-rc1
v2.20.0-rc2
v2.21.0
v2.21.0-rc0
v2.21.0-rc1
v2.21.0-rc2
v2.22.0
v2.22.0-rc0
v2.22.0-rc1
v2.22.0-rc2
v2.22.0-rc3
v2.23.0
v2.23.0-rc0
v2.23.0-rc1
v2.23.0-rc2
v2.24.0
v2.24.0-rc0
v2.24.0-rc1
v2.24.0-rc2
v2.25.0
v2.25.0-rc0
v2.25.0-rc1
v2.25.0-rc2
v2.26.0
v2.26.0-rc0
v2.26.0-rc1
v2.26.0-rc2
v2.27.0
v2.27.0-rc0
v2.27.0-rc1
v2.27.0-rc2
v2.28.0
v2.28.0-rc0
v2.28.0-rc1
v2.28.0-rc2
v2.29.0
v2.29.0-rc0
v2.29.0-rc1
v2.29.0-rc2
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.30.0
v2.30.0-rc0
v2.30.0-rc1
v2.30.0-rc2
v2.30.1
v2.30.2
v2.30.3
v2.30.4
v2.30.5
v2.30.6
v2.30.7
v2.30.8
v2.31.0
v2.31.1
v2.31.2
v2.31.3
v2.31.4
v2.31.5
v2.31.6
v2.31.7
v2.32.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.32.6
v2.33.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1
v2.34.2
v2.34.3
v2.34.4
v2.34.5
v2.34.6
v2.34.7
v2.35.0
v2.35.1
v2.35.2
v2.35.3
v2.35.4
v2.35.5
v2.35.6
v2.35.7
v2.36.0
v2.36.1
v2.36.2
v2.36.3
v2.36.4
v2.36.5
v2.37.0
v2.37.1
v2.37.2
v2.37.3
v2.37.4
v2.37.5
v2.37.6
v2.38.0
v2.38.1
v2.38.2
v2.38.3
v2.38.4
v2.39.0
v2.39.1
v2.39.2
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2