BDU:2023-06650

Опубликовано: 13 июн. 2023

Источник: fstec

CVSS3: 3.3

CVSS2: 2.4

EPSS Низкий

Описание

Уязвимость функции gettext() распределенной системы контроля версий Git для Windows связана с неверным ограничением имени пути к каталогу с ограниченным доступом. Эксплуатация уязвимости может позволить нарушителю размещать произвольные сообщения

Вендор

Red Hat Inc.

Novell Inc.

Microsoft Corp.

Fedora Project

АО "НППКТ"

Linus Torvalds, Junio Hamano

Наименование ПО

Red Hat Enterprise Linux

Suse Linux Enterprise Desktop

SUSE Linux Enterprise Server for SAP Applications

Suse Linux Enterprise Server

Microsoft Visual Studio

Fedora

ОСОН ОСнова Оnyx

Git

Версия ПО

6 (Red Hat Enterprise Linux)

7 (Red Hat Enterprise Linux)

12 SP3 (Suse Linux Enterprise Desktop)

12 SP4 (Suse Linux Enterprise Desktop)

12 SP2 (SUSE Linux Enterprise Server for SAP Applications)

12 SP3 (SUSE Linux Enterprise Server for SAP Applications)

12 SP3 (Suse Linux Enterprise Server)

12 SP4 (Suse Linux Enterprise Server)

8 (Red Hat Enterprise Linux)

12 SP2-ESPOS (Suse Linux Enterprise Server)

12-LTSS (Suse Linux Enterprise Server)

12 SP1 (SUSE Linux Enterprise Server for SAP Applications)

15 (SUSE Linux Enterprise Server for SAP Applications)

12 SP1-LTSS (Suse Linux Enterprise Server)

12 SP2-LTSS (Suse Linux Enterprise Server)

12 SP3-LTSS (Suse Linux Enterprise Server)

12 SP3-BCL (Suse Linux Enterprise Server)

12 SP3-ESPOS (Suse Linux Enterprise Server)

12 SP2 (Suse Linux Enterprise Server)

15-LTSS (Suse Linux Enterprise Server)

12 SP1 (Suse Linux Enterprise Desktop)

12 SP1 (Suse Linux Enterprise Server)

12 (SUSE Linux Enterprise Server for SAP Applications)

12 (Suse Linux Enterprise Desktop)

12 SP4-ESPOS (Suse Linux Enterprise Server)

2017 15.9 (от 15.0 до 15.8 включительно) (Microsoft Visual Studio)

15 SP1-BCL (Suse Linux Enterprise Server)

15 SP1 (Suse Linux Enterprise Server)

12 (Suse Linux Enterprise Server)

8.1 Update Services for SAP Solutions (Red Hat Enterprise Linux)

8.4 Extended Update Support (Red Hat Enterprise Linux)

2022 17.0 (Microsoft Visual Studio)

2019 16.11 (от 16.0 до 16.10 включительно) (Microsoft Visual Studio)

15 SP2 (Suse Linux Enterprise Server)

36 (Fedora)

15 SP2 (Suse Linux Enterprise Desktop)

15 (Suse Linux Enterprise Server)

15 SP2-BCL (Suse Linux Enterprise Server)

9 (Red Hat Enterprise Linux)

15 SP1 (Suse Linux Enterprise Desktop)

15 (Suse Linux Enterprise Desktop)

2022 17.2 (Microsoft Visual Studio)

37 (Fedora)

8.6 Extended Update Support (Red Hat Enterprise Linux)

2022 17.4 (Microsoft Visual Studio)

9.0 Extended Update Support (Red Hat Enterprise Linux)

8.2 Advanced Update Support (Red Hat Enterprise Linux)

38 (Fedora)

2022 17.6 (Microsoft Visual Studio)

до 2.8 (ОСОН ОСнова Оnyx)

до 2.40.1 (Git)

Тип ПО

Операционная система

Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 6

Red Hat Inc. Red Hat Enterprise Linux 7

Novell Inc. Suse Linux Enterprise Desktop 12 SP3

Novell Inc. Suse Linux Enterprise Desktop 12 SP4

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3

Novell Inc. Suse Linux Enterprise Server 12 SP3

Novell Inc. Suse Linux Enterprise Server 12 SP4

Red Hat Inc. Red Hat Enterprise Linux 8

Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS

Novell Inc. Suse Linux Enterprise Server 12-LTSS

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP1

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15

Novell Inc. Suse Linux Enterprise Server 12 SP1-LTSS

Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS

Novell Inc. Suse Linux Enterprise Server 12 SP3-LTSS

Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL

Novell Inc. Suse Linux Enterprise Server 12 SP3-ESPOS

Novell Inc. Suse Linux Enterprise Server 12 SP2

Novell Inc. Suse Linux Enterprise Server 15-LTSS

Novell Inc. Suse Linux Enterprise Desktop 12 SP1

Novell Inc. Suse Linux Enterprise Server 12 SP1

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12

Novell Inc. Suse Linux Enterprise Desktop 12

Novell Inc. Suse Linux Enterprise Server 12 SP4-ESPOS

Novell Inc. Suse Linux Enterprise Server 15 SP1-BCL

Novell Inc. Suse Linux Enterprise Server 15 SP1

Novell Inc. Suse Linux Enterprise Server 12

Red Hat Inc. Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Red Hat Inc. Red Hat Enterprise Linux 8.4 Extended Update Support

Novell Inc. Suse Linux Enterprise Server 15 SP2

Fedora Project Fedora 36

Novell Inc. Suse Linux Enterprise Desktop 15 SP2

Novell Inc. Suse Linux Enterprise Server 15

Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL

Red Hat Inc. Red Hat Enterprise Linux 9

Novell Inc. Suse Linux Enterprise Desktop 15 SP1

Novell Inc. Suse Linux Enterprise Desktop 15

Fedora Project Fedora 37

Red Hat Inc. Red Hat Enterprise Linux 8.6 Extended Update Support

Red Hat Inc. Red Hat Enterprise Linux 9.0 Extended Update Support

Red Hat Inc. Red Hat Enterprise Linux 8.2 Advanced Update Support

Fedora Project Fedora 38

АО "НППКТ" ОСОН ОСнова Оnyx до 2.8

Уровень опасности уязвимости

Низкий уровень опасности (базовая оценка CVSS 2.0 составляет 2,4)

Низкий уровень опасности (базовая оценка CVSS 3.0 составляет 3,3)

Возможные меры по устранению уязвимости

Обновление программного обеспечения Git до версии 2.40.1 или выше

Использование рекомендаций:

Для программных продуктов Microsoft Corp.:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-22743

Для программных продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/cve-2023-25815

Для программных продуктов Novell Inc.:

https://www.suse.com/security/cve/CVE-2023-25815.html

Для Fedora:

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/

Для ОСОН ОСнова Оnyx:

Обновление программного обеспечения git до версии 1:2.40.1-1

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25815
CVE

EPSS

Процентиль: 27%

0.00092

Низкий

3.3 Low

CVSS3

2.4 Low

CVSS2

Связанные уязвимости

CVE-2023-25815

CVSS3: 3.3

ubuntu

около 2 лет назад

In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It ...

CVE-2023-25815

CVSS3: 2.2

redhat

около 2 лет назад

CVE-2023-25815

CVSS3: 3.3

nvd

около 2 лет назад

CVE-2023-25815

msrc

около 2 лет назад

GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place

CVE-2023-25815

CVSS3: 3.3

debian

около 2 лет назад

In Git for Windows, the Windows port of Git, no localized messages are ...

EPSS

Процентиль: 27%

0.00092

Низкий

3.3 Low

CVSS3

2.4 Low

CVSS2