Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
13
Affected Products
21
References
git-scm / git
| git-scm | git | 2.32.0 - 2.32.7 | - |
| git-scm | git | 2.33.0 - 2.33.8 | - |
| git-scm | git | 2.34.0 - 2.34.8 | - |
| git-scm | git | 2.35.0 - 2.35.8 | - |
| git-scm | git | 2.36.0 - 2.36.6 | - |
| git-scm | git | 2.37.0 - 2.37.7 | - |
| git-scm | git | 2.38.0 - 2.38.5 | - |
| git-scm | git | 2.39.0 - 2.39.3 | - |
| git-scm | git | - | - |
| fedoraproject | fedora | - | - |
| fedoraproject | fedora | - | - |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability
Impact