Apologies for the radio silence recently. Had some terrible family news over Christmas and New Year.
Anyway, the following have been published regarding Git and rated has Critical:
- CVE-2022-41903 - https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
- CVE-2022-23521 - https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
- CVE-2022-41953 - https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c - Patch in progress
The last CVE is still to be patched and affects Git for Windows. As a workaround, do not use the GUI from clone a repository, especially from untrusted sources.
“Therefore, malicious repositories can ship with an aspell.exe in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code.”