Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-22742

Published: 20 January 2023

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

Priority

Medium

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package Release Status
libgit2
Launchpad, Ubuntu, Debian
bionic
Released (0.26.0+dfsg.1-1.1ubuntu0.2+esm1)
Available with Ubuntu Pro
focal
Released (0.28.4+dfsg.1-2ubuntu0.1)
jammy
Released (1.1.0+dfsg.1-4.1ubuntu0.1)
kinetic Ignored
(end of life, was needs-triage)
lunar Not vulnerable
(1.5.1+ds-1ubuntu1)
mantic Not vulnerable
(1.5.1+ds-1ubuntu1)
trusty Needed

upstream
Released (1.4.5,1.5.1+ds-1)
xenial
Released (0.24.1-2ubuntu0.2+esm2)
Available with Ubuntu Pro
Patches:
upstream: https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea
upstream: https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56

Severity score breakdown

Parameter Value
Base score 5.9
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N