CVE-2022-29187 Overview
CVE-2022-29187 is a privilege escalation vulnerability in Git, the distributed revision control system maintained by the git-scm project. The flaw allows an attacker to bypass the safe.directory protections introduced for CVE-2022-24765. An unsuspecting user running Git as root in a shared directory owned by them, such as /tmp, can be compromised if an attacker plants a malicious repository in that path. Affected versions include all Git releases prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5. The issue is tracked under [CWE-282] (Improper Ownership Management) and [CWE-427] (Uncontrolled Search Path Element).
Critical Impact
A local attacker can achieve privilege escalation when a higher-privileged user (such as root or a Windows Administrator) executes Git inside a directory containing an attacker-controlled repository.
Affected Products
- Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5
- Fedora 35, 36, and 37; Debian Linux 10.0
- Apple Xcode (versions prior to the fix shipped in Apple HT213496)
Discovery Timeline
- 2022-07-12 - CVE-2022-29187 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29187
Vulnerability Analysis
The vulnerability stems from an incomplete fix for CVE-2022-24765. That earlier patch added the safe.directory configuration to prevent Git from trusting repositories owned by another user. However, the original check exempted the root user under the assumption that root would never traverse untrusted directories. Attackers can defeat this assumption by planting a .git directory inside any location a privileged user later enters, such as a shared /tmp directory the privileged user owns.
When Git executes inside such a directory, it reads the attacker-supplied .git/config file. The configuration can specify arbitrary values for core.fsmonitor, core.pager, or similar directives that Git invokes as shell commands. The privileged process then executes attacker-controlled code, completing the privilege escalation chain.
Root Cause
The root cause is improper ownership validation in Git's repository discovery logic. Git skipped the safe.directory ownership check when the effective user was root, leaving privileged invocations exposed to the same parent-directory takeover pattern previously addressed by CVE-2022-24765. The defect aligns with [CWE-282] Improper Ownership Management and [CWE-427] Uncontrolled Search Path Element.
Attack Vector
Exploitation requires local access and the ability to write into a directory that a privileged user will traverse. The attacker creates a Git repository, complete with a crafted .git/config, in a path such as /tmp/attacker-controlled/. When root runs any Git command in that directory (or a subdirectory), Git ascends the directory tree, locates the malicious .git, and executes hooks or configured commands with root privileges.
No network access, user interaction beyond the privileged invocation, or authentication beyond local shell access is required. Refer to the GitHub Security Advisory GHSA-j342-m5hw-rr3v and the Openwall OSS-Security disclosure for the upstream technical analysis.
Detection Methods for CVE-2022-29187
Indicators of Compromise
- Unexpected .git directories present in shared paths such as /tmp, /var/tmp, or system service working directories.
- Git configuration files (.git/config) referencing executables in core.fsmonitor, core.pager, core.editor, or core.sshCommand that point to attacker-controlled binaries.
- Process telemetry showing git invoked as root followed by execution of unexpected shell or interpreter processes.
Detection Strategies
- Audit endpoint process logs for git executions where the parent process runs with elevated privileges and the working directory is world-writable.
- Hunt for filesystem events that create .git directories outside known repository roots, particularly in shared temporary directories.
- Correlate Git invocations with subsequent spawning of sh, bash, python, or other interpreters that are not typical for routine Git operations.
Monitoring Recommendations
- Enable auditd or equivalent kernel auditing rules for execve events involving the git binary when the effective UID is 0.
- Monitor package management telemetry to confirm Git versions across the fleet match patched releases (2.30.5 or later within each maintenance line).
- Alert on creation of .git/hooks/* scripts in non-developer accounts or system directories.
How to Mitigate CVE-2022-29187
Immediate Actions Required
- Upgrade Git to a fixed version: 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, or 2.30.5, or any later release.
- Stop running git as root or Administrator. Reduce privileged Git usage to the minimum operationally required.
- Inventory shared writable directories (such as /tmp) for existing .git directories and remove any that are not legitimate.
Patch Information
Fixed releases are published by the upstream Git project and distribution maintainers. Apply vendor updates from the GitHub Security Advisory GHSA-j342-m5hw-rr3v, the Debian LTS announcement, Gentoo GLSA 202312-15, and Apple Support HT213496 for Xcode. Fedora users should apply the corresponding Fedora package update.
Workarounds
- Pre-create a root-owned .git directory in shared paths (such as /tmp/.git) to prevent attackers from staging a malicious repository at that location.
- Add explicit safe.directory entries to /etc/gitconfig only for repositories that must be operated on by privileged users.
- Restrict shared directory permissions where feasible, replacing world-writable locations with per-user temporary directories.
# Configuration example: explicitly allow only trusted repositories for root
git config --system --add safe.directory /opt/trusted-repo
git config --system --add safe.directory /srv/git/maintained-repo
# Block future attacks in /tmp by reserving the .git path as root-owned
sudo mkdir -p /tmp/.git
sudo chown root:root /tmp/.git
sudo chmod 700 /tmp/.git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
