Vulnerability Details : CVE-2022-24975
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
Vulnerability category: Information leak
Products affected by CVE-2022-24975
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24975
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24975
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-24975
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24975
-
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
Phantom Secrets: Undetected Secrets Expose Major Corporations
-
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191
git/git-clone.txt at 2dc94da3744bfbbf145eca587a0f5ff480cc5867 · git/git · GitHubExploit;Vendor Advisory
-
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/
GitBleed – Finding Secrets in Mirrored Git Repositories | Nightwatch CybersecurityExploit;Third Party Advisory
-
https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/
Re: CVE-2022-24975 - Junio C Hamano
Jump to