CVE-2024-32465 : Git is a revision control system. The Git project recommends to avoid working in

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Published 2024-05-14 19:18:34

Updated 2024-06-26 10:15:12

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-32465

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-32465

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-32465

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.4	HIGH	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	N/A	N/A	GitHub, Inc.	2024-05-14
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
7.3	HIGH	CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	0.7	6.0	GitHub, Inc.	2024-05-14
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-32465

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2024-32465

https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7

upload-pack: disable lazy-fetching by default · git/git@7b70e9e · GitHub
https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4

Protections for cloning untrusted repositories can be bypassed · Advisory · git/git · GitHub
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

[SECURITY] [DLA 3844-1] git security update

CVEs referencing this url
https://git-scm.com/docs/git-clone

Git - git-clone Documentation

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2024/05/14/2

oss-security - git: 5 vulnerabilities fixed

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

[SECURITY] Fedora 40 Update: git-2.45.1-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://git-scm.com/docs/git#_security

Git - git Documentation

Jump to

Vulnerability Details : CVE-2024-32465

Products affected by CVE-2024-32465

Exploit prediction scoring system (EPSS) score for CVE-2024-32465

CVSS scores for CVE-2024-32465

CWE ids for CVE-2024-32465

References for CVE-2024-32465