CVE-2024-24577

2024-02-0622:16:15

Google

osv.dev

libgit2

heap corruption

git_index_add

vulnerability

version 1.6.5

version 1.7.2

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.2%

JSON

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to git_index_add can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the has_dir_name function in src/libgit2/index.c, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

CPENameOperatorVersion
libgit2eq0.27.0
libgit2eq0.26.0
libgit2eq0.26.0-rc1
libgit2eq0.23.0-rc2
libgit2eq0.23.0-rc1
libgit2eq0.26.0-rc2
libgit2eq0.27.0-rc2
libgit2eq0.27.0-rc3
libgit2eq0.21.0-rc1
libgit2eq1.6.1

Name	Operator	Version
libgit2	eq	0.27.0
libgit2	eq	0.26.0
libgit2	eq	0.26.0-rc1
libgit2	eq	0.23.0-rc2
libgit2	eq	0.23.0-rc1
libgit2	eq	0.26.0-rc2
libgit2	eq	0.27.0-rc2
libgit2	eq	0.27.0-rc3
libgit2	eq	0.21.0-rc1
libgit2	eq	1.6.1