Gitblit and CVE-2022-23521

17 views

Skip to first unread message

Scott M. Parrill

unread,

Feb 22, 2023, 5:46:17 PM2/22/23

to git...@googlegroups.com

All,

I’ve been looking at information as to how and if CVE-2022-23521 pertains to Gitblit as I understand that the vulnerability can affect server-side operations under certain circumstances (i.e. certain git-hooks). Does this CVE affect Gitblit?

Thanks,
Scott

---------------------------------------

Scott Parrill

Systems Administrator

Enterprise IT, Infrastructure and Security

University of Wyoming

spar...@uwyo.edu

307-766-4829

Florian Zschocke

unread,

Apr 7, 2023, 12:59:31 PM4/7/23

to gitblit

Hi Scott!

This CVE is about git, the command line tool, i.e. the one written in C (et.al.) from git-scm.com.

Gitblit is using the Java implementation of Git, JGit. This is, as far as I can see, not affected. Which makes sense because the CVE is about an integer overflow overwriting memory, which is not the same mechanics under Java.

Hope that helps.

Best regards

Florian

Reply all

Reply to author

Forward

0 new messages