{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-27T08:38:29.139","vulnerabilities":[{"cve":{"id":"CVE-2022-39253","sourceIdentifier":"security-advisories@github.com","published":"2022-10-19T11:15:11.227","lastModified":"2024-11-21T07:17:53.040","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`."},{"lang":"es","value":"Git es un sistema de control de revisiones distribuido, escalable y de código abierto. Las versiones anteriores a la 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3 y 2.37.4 están sujetas a una exposición de información confidencial a un actor malicioso. Cuando es llevado a cabo un clon local (en el que el origen y el destino del clon están en el mismo volumen), Git copia el contenido del directorio \"$GIT_DIR/objects\" del origen en el destino creando enlaces duros al contenido del origen o copiándolo (si los enlaces duros están deshabilitados por medio de \"--no-hardlinks\"). Un actor malicioso podría convencer a una víctima de clonar un repositorio con un enlace simbólico que apunte a información confidencial en la máquina de la víctima. Esto puede hacerse ya sea que la víctima clone un repositorio malicioso en la misma máquina, o haciendo que clone un repositorio malicioso insertado como repositorio desnudo por medio de un submódulo de cualquier fuente, siempre que clone con la opción \"--recurse-submodules\". Git no crea enlaces simbólicos en el directorio \"$GIT_DIR/objects\". El problema ha sido parcheado en las versiones publicadas el 18-10-2022, y retrocedido a v2.30.x. Posibles mitigaciones: Evite clonar repositorios no confiables usando la optimización \"--local\" cuando esté en una máquina compartida, ya sea pasando la opción \"--no-local\" a \"git clone\" o clonando desde una URL que use el esquema \"file://\". Alternativamente, evita clonar repositorios de fuentes no confiables con \"--recurse-submodules\" o ejecuta \"git config --global protocol.file.allow user\""}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-59"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionEndExcluding":"2.30.6","matchCriteriaId":"28199E8F-36D0-46F8-AF0A-9460390BE56F"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.31.0","versionEndExcluding":"2.31.5","matchCriteriaId":"E095AAE7-18C2-4957-9740-FC804860B9C2"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.32.0","versionEndExcluding":"2.32.4","matchCriteriaId":"459EE43E-40FB-45BE-A1CC-51435E9F92AD"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.33.0","versionEndExcluding":"2.33.5","matchCriteriaId":"2CBDDA42-F5EC-4747-BF3C-16683D684702"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.34.0","versionEndExcluding":"2.34.5","matchCriteriaId":"D7691E22-145E-4D97-A6E0-6515742781B9"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.35.0","versionEndExcluding":"2.35.5","matchCriteriaId":"E02396C2-BB34-4D18-917E-DA56EA7B58B9"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.36.0","versionEndExcluding":"2.36.3","matchCriteriaId":"51BEAEEC-9D9D-4CFE-8958-43BFE87DE501"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.37.0","versionEndExcluding":"2.37.4","matchCriteriaId":"566CF89C-AC39-47D7-B3DE-633B2237F816"},{"vulnerable":true,"criteria":"cpe:2.3:a:git-scm:git:2.38.0:*:*:*:*:*:*:*","matchCriteriaId":"1AFEECCB-B8DB-4270-A860-C2BA1C7B267C"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","matchCriteriaId":"80E516C0-98A4-4ADE-B69F-66A772E2BAAA"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","matchCriteriaId":"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","matchCriteriaId":"E30D0E6F-4AE8-4284-8716-991DFA48CC5D"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*","versionEndExcluding":"14.1","matchCriteriaId":"CECD39AA-41F4-4638-B59A-C5E928B585C3"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"http://seclists.org/fulldisclosure/2022/Nov/1","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2023/02/14/5","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","source":"security-advisories@github.com"},{"url":"https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85","source":"security-advisories@github.com","tags":["Mitigation","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/","source":"security-advisories@github.com"},{"url":"https://security.gentoo.org/glsa/202312-15","source":"security-advisories@github.com"},{"url":"https://support.apple.com/kb/HT213496","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"http://seclists.org/fulldisclosure/2022/Nov/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2023/02/14/5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security.gentoo.org/glsa/202312-15","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://support.apple.com/kb/HT213496","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}