CVE-2024-32002 : Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Published 2024-05-14 18:40:47

Updated 2024-06-26 10:15:12

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-32002

GIT » GIT
Versions from including (>=) 2.43.0 and before (<) 2.43.4
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
Matching versions
GIT » GIT
Versions from including (>=) 2.40.0 and before (<) 2.40.2
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
Matching versions
GIT » GIT
Versions before (<) 2.39.4
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
Matching versions
GIT » GIT
Versions from including (>=) 2.42.0 and before (<) 2.42.2
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
Matching versions
GIT » GIT » Version: 2.45.0
cpe:2.3:a:git:git:2.45.0:*:*:*:*:*:*:*
Matching versions
GIT » GIT » Version: 2.44.0
cpe:2.3:a:git:git:2.44.0:*:*:*:*:*:*:*
Matching versions
GIT » GIT » Version: 2.41.0
cpe:2.3:a:git:git:2.41.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-32002

EPSS FAQ

71.00%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-32002

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.1	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	N/A	N/A	GitHub, Inc.	2024-05-14
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	2.2	6.0	NIST	2024-05-23
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	2.2	6.0	GitHub, Inc.	2024-05-14
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/...	N/A	N/A	MS-CVE-2024-32002	2024-05-14
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	N/A	N/A	RedHat-CVE-2024-32002	2024-05-15
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-32002

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2024-32002

https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

[SECURITY] [DLA 3844-1] git security update

CVEs referencing this url
https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d

submodules: submodule paths must not contain symlinks · git/git@9706576 · GitHub
Patch
https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt

Not Applicable

CVEs referencing this url
https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv

Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution · Advisory · git/git · GitHub
Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/05/14/2

oss-security - git: 5 vulnerabilities fixed

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

[SECURITY] Fedora 40 Update: git-2.45.1-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks

Git - git-config Documentation
Not Applicable

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-32002

Products affected by CVE-2024-32002

Exploit prediction scoring system (EPSS) score for CVE-2024-32002

CVSS scores for CVE-2024-32002

CWE ids for CVE-2024-32002

References for CVE-2024-32002