{"id":"CVE-2023-23946","summary":"Git's `git apply` overwriting paths outside the working tree","details":"Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.","aliases":["GHSA-r87m-v37r-cwfh"],"modified":"2026-04-10T04:11:13.895205Z","published":"2023-02-14T19:48:00.554Z","related":["ALSA-2023:3245","ALSA-2023:3246","CGA-mwr5-cfgm-mv44","MGASA-2023-0066","SUSE-SU-2023:0418-1","SUSE-SU-2023:0426-1","SUSE-SU-2023:0430-1","openSUSE-SU-2024:12698-1"],"database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23946.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23946.json"},{"type":"ADVISORY","url":"https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23946"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202312-15"},{"type":"FIX","url":"https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/git/git","events":[{"introduced":"a5828ae6b52137b913b978e16cd2334482eb4c1f"},{"fixed":"394a759d2b5f0a1a1908c820cf142f45cb78718c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-23946.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}