CVE-2022-23521 Overview
CVE-2022-23521 is a critical integer overflow vulnerability in Git, the widely-used distributed revision control system. The vulnerability exists in the gitattributes parsing mechanism, which allows defining attributes for paths within a repository. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are extremely large.
These overflows can be triggered via a crafted .gitattributes file that may be part of a repository's commit history. A particularly concerning aspect is that Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. This inconsistency means the failure mode depends on whether the malicious file exists in the working tree, the index, or both. Successful exploitation of this integer overflow can result in arbitrary heap reads and writes, potentially leading to remote code execution.
Critical Impact
This vulnerability enables remote code execution through crafted Git repositories. Cloning or interacting with a malicious repository could compromise the user's system without any additional user interaction.
Affected Products
- Git versions prior to 2.30.7
- Git versions 2.31.x prior to 2.31.6
- Git version 2.39.0
Discovery Timeline
- 2023-01-17 - CVE-2022-23521 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23521
Vulnerability Analysis
The vulnerability resides in Git's gitattributes parsing functionality, which is designed to allow repository maintainers to define attributes for specific file paths using pattern matching. The .gitattributes file contains patterns and their associated attributes, which Git uses for various operations including merge handling, diff generation, and archive creation.
The core issue stems from improper integer handling when processing gitattributes entries. When an attacker crafts a .gitattributes file with an excessive number of path patterns, an unusually large number of attributes for a single pattern, or extremely long attribute names, integer overflow conditions can occur during memory allocation calculations. These overflows cause undersized memory allocations, which subsequently lead to heap-based buffer overflows during data population.
The behavioral difference between file-based and index-based parsing creates additional complexity. When Git encounters lines longer than 2KB in a file, it silently truncates them, potentially masking some exploitation attempts. However, when the same data is read from the Git index (a binary cache of the repository state), no such truncation occurs, allowing the full malicious payload to be processed.
Root Cause
The root cause of CVE-2022-23521 is an integer overflow vulnerability (CWE-190) in the gitattributes parsing code. When calculating buffer sizes for storing path patterns, attribute counts, or attribute names, the code performs arithmetic operations that can overflow when processing maliciously large values. This results in allocated buffers being significantly smaller than required, creating conditions for heap corruption when the actual data is written.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction beyond standard Git operations. An attacker can exploit this vulnerability by:
- Creating a malicious Git repository containing a crafted .gitattributes file
- Hosting the repository on a publicly accessible Git server
- Waiting for victims to clone the repository or pull updates
- Upon clone or checkout operations, Git parses the malicious gitattributes, triggering the integer overflow
- The resulting heap corruption can be leveraged to achieve arbitrary code execution in the context of the Git process
+Git v2.30.7 Release Notes
+=========================
+
+This release addresses the security issues CVE-2022-41903 and
+CVE-2022-23521.
+
+
+Fixes since v2.30.6
+-------------------
+
+ * CVE-2022-41903:
+
+ git log has the ability to display commits using an arbitrary
+ format with its --format specifiers. This functionality is also
+ exposed to git archive via the export-subst gitattribute.
+
+ When processing the padding operators (e.g., %<(, %<|(, %>(,
+ %>>(, or %><( ), an integer overflow can occur in
+ pretty.c::format_and_pad_commit() where a size_t is improperly
+ stored as an int, and then added as an offset to a subsequent
+ memcpy() call.
+
+ This overflow can be triggered directly by a user running a
+ command which invokes the commit formatting machinery (e.g., git
+ log --format=...). It may also be triggered indirectly through
+ git archive via the export-subst mechanism, which expands format
+ specifiers inside of files within the repository during a git
+ archive.
+
+ This integer overflow can result in arbitrary heap writes, which
Source: GitHub Commit 508386c6c5857b4faa2c3e491f422c98cc69ae76
Detection Methods for CVE-2022-23521
Indicators of Compromise
- Presence of unusually large .gitattributes files in repository history or working directory
- Git processes crashing unexpectedly during clone, checkout, or diff operations
- Memory access violations or segmentation faults in Git client logs
- Repositories from untrusted sources containing suspicious .gitattributes entries
Detection Strategies
- Monitor Git version deployments across the organization and flag instances running versions prior to 2.30.7, 2.31.6, or 2.39.1
- Implement file integrity monitoring on Git binaries to detect potential compromise
- Use endpoint detection solutions to identify anomalous memory access patterns during Git operations
- Configure security tooling to alert on Git process crashes or unexpected terminations
Monitoring Recommendations
- Enable verbose logging for Git operations in CI/CD pipelines and development environments
- Implement repository scanning to identify .gitattributes files with suspicious characteristics such as excessive line lengths or unusual pattern counts
- Monitor for unusual network activity following Git clone or fetch operations that could indicate post-exploitation behavior
- Deploy SentinelOne agents configured to detect memory corruption exploitation attempts in Git processes
How to Mitigate CVE-2022-23521
Immediate Actions Required
- Upgrade Git to version 2.30.7 or later immediately across all systems
- Audit recent Git clone operations from untrusted sources and investigate any anomalies
- Review CI/CD pipelines to ensure they use patched Git versions
- Consider implementing repository allowlists to prevent interaction with untrusted Git repositories
Patch Information
Git maintainers released patched versions on 2023-01-17, addressing this vulnerability. The security fix is available in Git 2.30.7 and all subsequent versions. Organizations should prioritize upgrading to these patched versions. The specific commit addressing this issue can be reviewed at the GitHub Commit 508386c6c5857b4faa2c3e491f422c98cc69ae76. Additional details are available in the GitHub Security Advisory.
Workarounds
- There are no known workarounds for this vulnerability according to the security advisory
- Upgrading to patched versions is the only effective remediation
- If immediate patching is not possible, avoid cloning or interacting with repositories from untrusted sources
- Consider using Git hosting services that may implement server-side mitigations
# Check current Git version
git --version
# Update Git on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get install git
# Update Git on RHEL/CentOS systems
sudo yum update git
# Update Git on macOS using Homebrew
brew upgrade git
# Verify update was successful
git --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
