Описание
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
There's a vulnerability in gitk where an user can be tricked to run malicious scripts supplied by the attacker when running gitk filename command. When successfully exploited this vulnerability may result in arbitrary code execution.
Отчет
The Red Hat Product Security team has rated this vulnerability as having a Moderate impact as it depends on the user to be tricked to run the command using the malicious file as parameter.
Меры по смягчению последствий
There's no known mitigation for this issue besides avoid using gitk with untrusted repositories or unstrusted files.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | git | Out of support scope | ||
| Red Hat Enterprise Linux 7 | git | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred | ||
| Red Hat Enterprise Linux 10 | git | Fixed | RHSA-2025:11533 | 22.07.2025 |
| Red Hat Enterprise Linux 8 | git | Fixed | RHSA-2025:11534 | 23.07.2025 |
| Red Hat Enterprise Linux 9 | git | Fixed | RHSA-2025:11462 | 21.07.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Gi ...
Уязвимость команды gitk filename браузера Gitk, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
6.3 Medium
CVSS3