Git GUI Malicious Command Injection Vulnerability on Windows

A vulnerability exists in Git GUI versions through 2.50.0, allowing malicious repositories to inject harmful executables, such as sh.exe or textconv filter programs like astextplain. This exploitation takes advantage of Tcl's design on Windows, where the current directory is always included in the executable search path. The injected programs are executed when the user selects 'Git Bash' or 'Browse Files' from the menu.

Impact

Exploitation of this vulnerability allows for malicious command injection, where injected programs can be executed with the user's privileges.

Reproduction

To reproduce this vulnerability, open Git GUI on a Windows system. Select 'Git Bash' or 'Browse Files' from the menu. If a malicious repository is being used that includes an executable or textconv filter program in the current directory, Git GUI will execute it. This behavior is due to Tcl's design, which includes the current directory in the executable search path on Windows.

Remediation

Users can update to Git GUI versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1. If an immediate update is not possible, avoid using the 'Git Bash' or 'Browse Files' menu commands.