CVE-2024-24577 libgit2 is vulnerable to arbitrary code execution due to heap corruption in `git_index_add`

2024-02-0621:36:12

CWE-122

GitHub_M

www.cve.org

cve-2024-24577

libgit2

heap corruption

git_index_add

arbitrary code execution

has_dir_name

controlled heap corruption

patch

version 1.6.5

version 1.7.2

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.2%

JSON

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to git_index_add can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the has_dir_name function in src/libgit2/index.c, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

CNA Affected

[
  {
    "vendor": "libgit2",
    "product": "libgit2",
    "versions": [
      {
        "version": "< 1.6.5",
        "status": "affected"
      },
      {
        "version": ">= 1.7.0, < 1.7.2",
        "status": "affected"
      }
    ]
  }
]