Описание
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
Отчет
The Red Hat Product Security team has rated this vulnerability as having a Moderate impact as it depends on the user to be tricked to run the command using the malicious file as parameter.
Меры по смягчению последствий
There's no known mitigation for this issue besides avoid using gitk with untrusted repositories or unstrusted files.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | git | Under investigation | ||
| Red Hat Enterprise Linux 7 | git | Under investigation | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Under investigation | ||
| Red Hat Enterprise Linux 10 | git | Fixed | RHSA-2025:11533 | 22.07.2025 |
| Red Hat Enterprise Linux 8 | git | Fixed | RHSA-2025:11534 | 23.07.2025 |
| Red Hat Enterprise Linux 9 | git | Fixed | RHSA-2025:11462 | 21.07.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
MITRE: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Gi ...
Уязвимость команды gitk filename браузера Gitk, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
EPSS
6.3 Medium
CVSS3