Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Rolls Out Xcode Update Patching Git Vulnerabilities

Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution.

Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution.

The first of the issues, CVE-2022-29187, is a variant of CVE-2022-24765, a bug impacting users on multi-user machines, where “a malicious actor could create a .git directory in a shared location above a victim’s current working directory.”

An attacker could exploit the flaw to create configuration files in the malicious .git directory and, by using specific variables, could achieve arbitrary command execution on the shared machine.

“An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository,” the vulnerability’s description reads.

The bug impacts all Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5. With the latest version of Xcode, Apple updated Git to version 2.32.3, which resolves ‘multiple issues’.

Now rolling out to macOS Monterey 12.5 and later as version 14.1, the latest Xcode iteration also resolves CVE-2022-39253, a security defect that could lead to information leaks.

The issue exists because of Git’s behavior when performing local clones and can be exploited by tricking a victim into cloning a repository that contains a symbolic link pointing at sensitive information on the victim’s system.

Tracked as CVE-2022-39260, the third Git vulnerability resolved in Xcode this week could lead to arbitrary code execution when git shell – which supports Git’s push/pull functionality via SSH – is allowed as a login shell.

A fourth vulnerability addressed in Xcode 14.1 impacts the IDE Xcode server. Tracked as CVE-2022-42797, the issue could allow malicious applications to gain root privileges.

Related: Apple Patches Over 100 Vulnerabilities With Release of macOS Ventura 13

Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.