Login Sign Up

CVE-2023-23618

8.6 HIGH
Path Traversal

📋 TL;DR

CVE-2023-23618 is a path traversal vulnerability in Git for Windows where the gitk tool can inadvertently execute malicious executables from the current directory. This affects Windows users running gitk or Git GUI's 'Visualize History' functionality in untrusted repositories. Attackers can exploit this through social engineering to trick users into running arbitrary code.

💻 Affected Systems

Products:
  • Git for Windows
Versions: All versions prior to 2.39.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects gitk tool and Git GUI's 'Visualize History' feature. Standard git CLI commands are not affected.

📦 What is this software?

Git For Windows by Git For Windows Project

View all CVEs affecting Git For Windows →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware execution in user context when opening malicious repositories.

🟢

If Mitigated

No impact if gitk is avoided or patched version is used.

🌐 Internet-Facing: LOW - Requires user interaction with malicious repository, not directly internet-exposed.
🏢 Internal Only: MEDIUM - Internal developers could be tricked into cloning malicious repositories.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to get user to clone and use gitk on malicious repository. Proof of concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.39.2.windows.1

Vendor Advisory: https://github.com/git-for-windows/git/security/advisories/GHSA-wxwv-49qw-35pm

Restart Required: No

Instructions:

1. Download Git for Windows 2.39.2 or later from https://gitforwindows.org/ 2. Run installer 3. Select 'Overwrite existing installation' 4. Complete installation wizard

🔧 Temporary Workarounds

Avoid gitk in untrusted repositories

windows

Do not use gitk or Git GUI's 'Visualize History' feature when working with repositories from untrusted sources.

🧯 If You Can't Patch

  • Disable or remove gitk executable from system PATH
  • Implement policy prohibiting gitk usage with external repositories

🔍 How to Verify

Check if Vulnerable:

Check Git for Windows version: git --version. If version is below 2.39.2, system is vulnerable.

Check Version:

git --version

Verify Fix Applied:

Run git --version and confirm output shows 2.39.2 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Process execution of unexpected executables from git repository directories
  • gitk.exe spawning unusual child processes

Network Indicators:

  • Unusual outbound connections following gitk execution

SIEM Query:

Process Creation where (Image contains 'gitk.exe' OR ParentImage contains 'gitk.exe') AND CommandLine contains current directory references

📊 Metadata

CVE ID: CVE-2023-23618
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-426
Published: February 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23618, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2022-26184 9.8

CVE-2022-26184 is an untrusted search path vulnerability in Poetry package manager versions 1.1.9 an...

Same vulnerability type (CWE-426)