Impact
This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder C:\.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory.
Git Bash users who set GIT_PS1_SHOWDIRTYSTATE (as recommended in the Pro Git Book) are vulnerable.
Users who installed posh-git are vulnerable simply by starting a PowerShell.
Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in C:\.git\config.
Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.
Patches
The problem has been patched in Git for Windows v2.35.2.
Workarounds
Create the folder .git on all drives where Git commands are run, and remove read/write access from those folders:
mkdir \.git
icacls \.git /inheritance:r
Alternatively, define or extend GIT_CEILING_DIRECTORIES to cover the parent directory of the user profile, e.g. C:\Users if the user profile is located in C:\Users\my-user-name.
Credits
Many thanks to 俞晨东 for finding and reporting the vulnerability!
References
For more information
CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:H/MI:H/MA:N
If you have any questions or comments about this advisory:
ycdxsb Analyst
Impact
This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder
C:\.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory.Git Bash users who set
GIT_PS1_SHOWDIRTYSTATE(as recommended in the Pro Git Book) are vulnerable.Users who installed posh-git are vulnerable simply by starting a PowerShell.
Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in
C:\.git\config.Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.
Patches
The problem has been patched in Git for Windows v2.35.2.
Workarounds
Create the folder
.giton all drives where Git commands are run, and remove read/write access from those folders:Alternatively, define or extend
GIT_CEILING_DIRECTORIESto cover the parent directory of the user profile, e.g.C:\Usersif the user profile is located inC:\Users\my-user-name.Credits
Many thanks to 俞晨东 for finding and reporting the vulnerability!
References
GIT_CEILING_DIRECTORIESFor more information
CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:H/MI:H/MA:N
If you have any questions or comments about this advisory: