CVE-2022-29187: Git-scm Git Privilege Escalation Flaw

CVE-2022-29187 Overview

CVE-2022-29187 is a privilege escalation vulnerability affecting Git, the widely-used distributed revision control system. This vulnerability is a bypass of the incomplete fix for CVE-2022-24765, where an unsuspecting user running Git as root (or Administrator on Windows) could be affected when navigating into a shared directory owned by them but containing a malicious Git repository planted by an attacker.

The vulnerability exists in how Git handles repository ownership validation in shared directories. An attacker with local access can create a malicious .git directory in a shared location such as /tmp, and when a privileged user executes Git commands within that directory, the attacker's configuration could be executed with elevated privileges.

Critical Impact
Privilege escalation across all platforms when Git is run as root or Administrator in directories containing attacker-controlled repositories

Affected Products

Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5
Fedora 35, 36, and 37
Apple Xcode (versions prior to patched release)
Debian Linux 10.0

Discovery Timeline

2022-07-12 - CVE-2022-29187 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-29187

Vulnerability Analysis

This vulnerability stems from an incomplete mitigation of the earlier CVE-2022-24765. While the initial fix attempted to prevent privilege escalation through unsafe repository ownership, it failed to account for scenarios where a privileged user navigates into a directory they own but where an attacker has created a Git repository.

The core issue lies in Git's trust model for repository configurations. When Git executes commands, it searches for .git directories and processes configuration files found within them. In shared environments like /tmp, where multiple users have write access, an attacker can pre-create a malicious Git repository containing harmful configuration directives.

When a legitimate user with elevated privileges (root/Administrator) enters this directory and runs any Git command, Git processes the attacker-controlled configuration. This can lead to arbitrary command execution through Git hooks or configuration options like core.fsmonitor, core.sshCommand, or credential helpers.

Root Cause

The root cause is improper ownership validation (CWE-282) combined with uncontrolled search path elements (CWE-427). Git's directory traversal logic for finding repositories did not adequately verify that the repository was created by the current user, allowing configuration injection from attacker-controlled repositories in shared directories.

Attack Vector

This is a local attack vector requiring the attacker to have write access to a directory that the victim user owns or will traverse. The attack scenario involves:

An attacker identifies a shared directory (e.g., /tmp) that a privileged user owns or frequently accesses
The attacker creates a malicious Git repository in that directory with crafted configuration or hooks
When the privileged user navigates to the directory and executes a Git command, the malicious configuration is loaded
The attacker's payload executes with the victim's elevated privileges

The vulnerability does not require user interaction beyond the victim running Git commands, and the complexity is low as the attacker simply needs to prepare the malicious repository in advance.

Detection Methods for CVE-2022-29187

Indicators of Compromise

Unexpected .git directories in shared locations such as /tmp, /var/tmp, or user-owned shared directories
Git repositories with suspicious core.fsmonitor, core.sshCommand, or credential.helper configurations
Unusual Git hook scripts in repositories located in shared directories
Evidence of privilege escalation attempts through Git process execution logs

Detection Strategies

Monitor for Git repository creation in shared directories by non-owner users using file integrity monitoring
Audit Git command execution by privileged users (root/Administrator) across the environment
Implement security tooling to detect suspicious .git/config files containing command execution directives
Review system logs for unexpected child processes spawned by Git when run with elevated privileges

Monitoring Recommendations

Deploy endpoint detection to monitor Git process behavior and configuration file access patterns
Establish baseline alerts for Git commands executed with root/Administrator privileges
Implement directory auditing on common shared paths to detect unauthorized repository creation
Configure SentinelOne Singularity to detect and alert on suspicious Git hook execution and configuration manipulation

How to Mitigate CVE-2022-29187

Immediate Actions Required

Update Git to patched versions: 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, or 2.30.5
Avoid running Git as root or Administrator whenever possible; minimize privileged Git usage
Audit shared directories for suspicious .git directories and remove any unauthorized repositories
Configure the safe.directory Git configuration option to explicitly whitelist trusted repositories

Patch Information

Security patches are available through the official Git releases and distribution package managers. Multiple vendors have released advisories and patches:

GitHub Security Advisory GHSA-j342-m5hw-rr3v provides the official security advisory and patch details
Apple Support Article - HT213496 addresses the vulnerability in Xcode
Debian LTS Announcement provides Debian-specific patch information
Fedora users should apply updates via dnf update git as documented in the Fedora Package Announcements

Workarounds

Restrict use of Git with root/Administrator privileges to essential operations only
Remove any existing suspicious repositories in shared directories and create placeholder directories owned by root to block future attacks
Configure Git's safe.directory setting to explicitly define trusted repository locations
Implement directory permissions that prevent unauthorized users from creating subdirectories in shared spaces

bash

# Configuration example - Mark directories as safe or restrict Git behavior
# Add trusted directories to safe.directory (run as the user who needs access)
git config --global --add safe.directory /path/to/trusted/repo

# List current safe directories
git config --global --get-all safe.directory

# Block attacks by creating root-owned placeholder in shared directories
sudo mkdir -p /tmp/.git
sudo chown root:root /tmp/.git
sudo chmod 000 /tmp/.git

CVE-2022-29187 Overview

Critical Impact
Privilege escalation across all platforms when Git is run as root or Administrator in directories containing attacker-controlled repositories

Affected Products

Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5
Fedora 35, 36, and 37
Apple Xcode (versions prior to patched release)
Debian Linux 10.0

Discovery Timeline

2022-07-12 - CVE-2022-29187 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-29187

Vulnerability Analysis

Root Cause

Attack Vector

This is a local attack vector requiring the attacker to have write access to a directory that the victim user owns or will traverse. The attack scenario involves:

An attacker identifies a shared directory (e.g., /tmp) that a privileged user owns or frequently accesses
The attacker creates a malicious Git repository in that directory with crafted configuration or hooks
When the privileged user navigates to the directory and executes a Git command, the malicious configuration is loaded
The attacker's payload executes with the victim's elevated privileges

The vulnerability does not require user interaction beyond the victim running Git commands, and the complexity is low as the attacker simply needs to prepare the malicious repository in advance.

Detection Methods for CVE-2022-29187

Indicators of Compromise

Unexpected .git directories in shared locations such as /tmp, /var/tmp, or user-owned shared directories
Git repositories with suspicious core.fsmonitor, core.sshCommand, or credential.helper configurations
Unusual Git hook scripts in repositories located in shared directories
Evidence of privilege escalation attempts through Git process execution logs

Detection Strategies

Monitor for Git repository creation in shared directories by non-owner users using file integrity monitoring
Audit Git command execution by privileged users (root/Administrator) across the environment
Implement security tooling to detect suspicious .git/config files containing command execution directives
Review system logs for unexpected child processes spawned by Git when run with elevated privileges

Monitoring Recommendations

Deploy endpoint detection to monitor Git process behavior and configuration file access patterns
Establish baseline alerts for Git commands executed with root/Administrator privileges
Implement directory auditing on common shared paths to detect unauthorized repository creation
Configure SentinelOne Singularity to detect and alert on suspicious Git hook execution and configuration manipulation

How to Mitigate CVE-2022-29187

Immediate Actions Required

Update Git to patched versions: 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, or 2.30.5
Avoid running Git as root or Administrator whenever possible; minimize privileged Git usage
Audit shared directories for suspicious .git directories and remove any unauthorized repositories
Configure the safe.directory Git configuration option to explicitly whitelist trusted repositories

Patch Information

Security patches are available through the official Git releases and distribution package managers. Multiple vendors have released advisories and patches:

GitHub Security Advisory GHSA-j342-m5hw-rr3v provides the official security advisory and patch details
Apple Support Article - HT213496 addresses the vulnerability in Xcode
Debian LTS Announcement provides Debian-specific patch information
Fedora users should apply updates via dnf update git as documented in the Fedora Package Announcements

Workarounds

Restrict use of Git with root/Administrator privileges to essential operations only
Remove any existing suspicious repositories in shared directories and create placeholder directories owned by root to block future attacks
Configure Git's safe.directory setting to explicitly define trusted repository locations
Implement directory permissions that prevent unauthorized users from creating subdirectories in shared spaces

bash

# Configuration example - Mark directories as safe or restrict Git behavior
# Add trusted directories to safe.directory (run as the user who needs access)
git config --global --add safe.directory /path/to/trusted/repo

# List current safe directories
git config --global --get-all safe.directory

# Block attacks by creating root-owned placeholder in shared directories
sudo mkdir -p /tmp/.git
sudo chown root:root /tmp/.git
sudo chmod 000 /tmp/.git

CVE-2022-29187: Git-scm Git Privilege Escalation Flaw

CVE-2022-29187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-29187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-29187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-29187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-29187: Git-scm Git Privilege Escalation Flaw

CVE-2022-29187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-29187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-29187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-29187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform