CVE-2024-32002

Git's recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Git es un sistema de control de revisiones. Antes de las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4, los repositorios con submódulos se podían manipular de manera que explotaran un error en Git mediante el cual se deja engañar y escribe archivos, no en el árbol de trabajo del submódulo, sino en un directorio `.git/`. Esto permite escribir un enlace que se ejecutará mientras la operación de clonación aún se está ejecutando, sin darle al usuario la oportunidad de inspeccionar el código que se está ejecutando. El problema se solucionó en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4. Si la compatibilidad con enlaces simbólicos está deshabilitada en Git (por ejemplo, mediante `git config --global core.symlinks false`), el ataque descrito no funcionará. Como siempre, es mejor evitar clonar repositorios de fuentes que no sean de confianza.

A vulnerability was found in Git. This vulnerability allows the malicious manipulation of repositories containing submodules, exploiting a bug that enables the writing of files into the .git/ directory instead of the submodule's intended worktree. This manipulation facilitates the execution of arbitrary code during the cloning process, bypassing user inspection and control.

*Credits: N/A

CVSS Scores

NISTv3.1 9.0

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-08 CVE Reserved
2024-05-14 CVE Published
2024-05-17 First Exploit
2024-06-27 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (50)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/05/14/2
https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt	Not Applicable
https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks	Not Applicable
https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR

URL	Date	SRC
https://github.com/amalmurali47/git_rce	2024-05-19
https://github.com/amalmurali47/hook	2024-05-19
https://github.com/bonnettheo/CVE-2024-32002	2024-06-27
https://github.com/WOOOOONG/CVE-2024-32002	2024-05-23
https://github.com/WOOOOONG/hook	2024-05-23
https://github.com/markuta/hooky	2024-05-17
https://github.com/markuta/CVE-2024-32002	2024-05-30
https://github.com/bfengj/CVE-2024-32002-Exploit	2024-05-22
https://github.com/bfengj/CVE-2024-32002-hook	2024-05-22
https://github.com/tiyeume25112004/CVE-2024-32002	2024-07-30
https://github.com/charlesgargasson/CVE-2024-32002	2024-07-30
https://github.com/safebuffer/CVE-2024-32002	2024-05-18
https://github.com/M507/CVE-2024-32002	2024-05-18
https://github.com/JJoosh/CVE-2024-32002-Reverse-Shell	2024-05-21
https://github.com/JJoosh/CVE-2024-32002	2024-05-21
https://github.com/10cks/CVE-2024-32002-EXP	2024-05-23
https://github.com/10cks/CVE-2024-32002-POC	2024-05-23
https://github.com/10cks/CVE-2024-32002-smash	2024-05-23
https://github.com/10cks/CVE-2024-32002-hulk	2024-05-23
https://github.com/10cks/CVE-2024-32002-submod	2024-05-23
https://github.com/10cks/CVE-2024-32002-linux-hulk	2024-05-23
https://github.com/10cks/CVE-2024-32002-linux-submod	2024-05-23
https://github.com/10cks/CVE-2024-32002-linux-smash	2024-05-23
https://github.com/vincepsh/CVE-2024-32002-hook	2024-05-22
https://github.com/vincepsh/CVE-2024-32002	2024-05-22
https://github.com/blackninja23/CVE-2024-32002	2024-07-27
https://github.com/AD-Appledog/CVE-2024-32002	2024-05-31
https://github.com/sanan2004/CVE-2024-32002	2024-08-17
https://github.com/daemon-reconfig/CVE-2024-32002	2024-08-02
https://github.com/YuanlooSec/CVE-2024-32002-poc	2024-05-22
https://github.com/h3xm4n/CVE-2024-32002	2024-07-29
https://github.com/FlojBoj/CVE-2024-32002	2024-08-25
https://github.com/sysonlai/CVE-2024-32002-hook	2024-07-07
https://github.com/1mxml/CVE-2024-32002-poc	2024-05-22
https://github.com/ycdxsb/CVE-2024-32002-hulk	2024-05-22
https://github.com/ycdxsb/CVE-2024-32002-submod	2024-05-22
https://github.com/TSY244/CVE-2024-32002-git-rce	2024-07-20
https://github.com/Basyaact/CVE-2024-32002-PoC_Chinese	2024-06-05
https://github.com/Goplush/CVE-2024-32002-git-rce	2024-05-28
https://github.com/Masamuneee/CVE-2024-32002-POC	2024-09-27
https://github.com/grecosamuel/CVE-2024-32002	2024-10-22

URL	Date	SRC
https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d	2024-06-26

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32002	2024-09-11
https://bugzilla.redhat.com/show_bug.cgi?id=2280421	2024-09-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				< 2.39.4 Search vendor "Git" for product "Git" and version " < 2.39.4"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.40.0 < 2.40.2 Search vendor "Git" for product "Git" and version " >= 2.40.0 < 2.40.2"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.42.0 < 2.42.2 Search vendor "Git" for product "Git" and version " >= 2.42.0 < 2.42.2"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.43.0 < 2.43.4 Search vendor "Git" for product "Git" and version " >= 2.43.0 < 2.43.4"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.41.0 Search vendor "Git" for product "Git" and version "2.41.0"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.44.0 Search vendor "Git" for product "Git" and version "2.44.0"		-		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.45.0 Search vendor "Git" for product "Git" and version "2.45.0"		-		Affected