9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.2%
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be
crafted in a way that exploits a bug in Git whereby it can be fooled into
writing files not into the submodule’s worktree but into a .git/
directory. This allows writing a hook that will be executed while the clone
operation is still running, giving the user no opportunity to inspect the
code that is being executed. The problem has been patched in versions
2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic
link support is disabled in Git (e.g. via git config --global core.symlinks false
), the described attack won’t work. As always, it is
best to avoid cloning repositories from untrusted sources.
Author | Note |
---|---|
leosilva | One can avoid it if symbolic link support is disable “config --global core.symlinks false” This issue exploits case insensitivity. As in Linux Ext4 has an option to turn on case insensitivity Linux could be a target. This issue was not reproducible, but fixed in all releases but Focal, Bionic and xenial, where source is not backportable in a first glance. Pending further investigation. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | git | < any | UNKNOWN |
ubuntu | 20.04 | noarch | git | < 1:2.25.1-1ubuntu3.13 | UNKNOWN |
ubuntu | 22.04 | noarch | git | < 1:2.34.1-1ubuntu1.11 | UNKNOWN |
ubuntu | 23.10 | noarch | git | < 1:2.40.1-1ubuntu1.1 | UNKNOWN |
ubuntu | 24.04 | noarch | git | < 1:2.43.0-1ubuntu7.1 | UNKNOWN |
ubuntu | 16.04 | noarch | git | < any | UNKNOWN |
git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
launchpad.net/bugs/cve/CVE-2024-32002
nvd.nist.gov/vuln/detail/CVE-2024-32002
security-tracker.debian.org/tracker/CVE-2024-32002
ubuntu.com/security/notices/USN-6793-1
ubuntu.com/security/notices/USN-6793-2
www.cve.org/CVERecord?id=CVE-2024-32002
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.2%