{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3amicrosoftvisual_studio_2017/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-1353"},{"cvss":8.8,"id":"CVE-2019-1354"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dulwich (\u003c 1.2.5)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-write","remote-code-execution","git","dulwich"],"_cs_type":"advisory","_cs_vendors":["Dulwich"],"content_html":"\u003cp\u003eDulwich versions before 1.2.5 are vulnerable to an arbitrary file write vulnerability (CVE-2026-42305) on Windows. The vulnerability occurs because Dulwich's path-element validator accepts tree entries with filenames containing bytes that Windows interprets as structural path syntax, such as backslashes (\u003ccode\u003e\\\u003c/code\u003e), NTFS alternate-data-stream markers (\u003ccode\u003e:\u003c/code\u003e), and NTFS 8.3 short-name aliases (\u003ccode\u003egit~\u0026lt;digits\u0026gt;\u003c/code\u003e). This allows an attacker to craft malicious Git repositories that, when cloned or checked out on Windows, can write files to arbitrary locations, including inside the \u003ccode\u003e.git\u003c/code\u003e directory. If a file is planted as a Git hook (e.g., \u003ccode\u003e.git\\hooks\\pre-commit.exe\u003c/code\u003e), it can lead to remote code execution when a user commits changes. POSIX systems are not directly exploitable, but can propagate malicious trees to Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing a tree entry with a filename including a backslash (e.g., \u003ccode\u003e.git\\hooks\\pre-commit.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious Git repository on a publicly accessible server.\u003c/li\u003e\n\u003cli\u003eA victim user clones the malicious repository using Dulwich on a Windows system (e.g., using \u003ccode\u003edulwich.porcelain.clone\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDulwich's path-element validator incorrectly processes the backslash in the filename.\u003c/li\u003e\n\u003cli\u003eThe malicious file is written to the \u003ccode\u003e.git\\hooks\u003c/code\u003e directory within the victim's local repository, creating the directory structure \u003ccode\u003e.git/hooks/pre-commit.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim user attempts to commit changes to the repository using Git.\u003c/li\u003e\n\u003cli\u003eGit executes the planted hook script (\u003ccode\u003e.git/hooks/pre-commit.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution in the context of the victim user on the Windows system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary file write and remote code execution on vulnerable Windows systems. This can lead to complete system compromise, data theft, and further lateral movement within the victim's network. The scope of impact depends on the number of developers and systems using affected Dulwich versions and cloning untrusted repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dulwich to version 1.2.5 or later to patch CVE-2026-42305.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Dulwich Git Hook Write via Malicious Filename\u0026quot; to detect attempts to write Git hooks with suspicious filenames.\u003c/li\u003e\n\u003cli\u003eBlock the use of affected Dulwich versions in your environment until they are patched.\u003c/li\u003e\n\u003cli\u003eAudit existing Git repositories for malicious tree entries that may have been introduced through vulnerable Dulwich versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T22:30:30Z","date_published":"2026-05-28T22:30:30Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/","summary":"Dulwich versions before 1.2.5 are vulnerable to an arbitrary file write leading to remote code execution on Windows systems when cloning or checking out a malicious Git repository due to improper path validation, as tracked by CVE-2026-42305.","title":"Dulwich Arbitrary File Write Vulnerability on Windows (CVE-2026-42305)","url":"https://feed.craftedsignal.io/briefs/2026-05-dulwich-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}