CVE-2024-32021

Local Git clone may hardlink arbitrary user-readable files into the new repository's "objects/" directory

Severity Score

3.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning
will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Git es un sistema de control de revisiones. Antes de las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4, al clonar un repositorio de origen local que contiene enlaces simbólicos a través del sistema de archivos, Git puede crear enlaces duros a archivos arbitrarios legibles por el usuario en el mismo sistema de archivos que el repositorio de destino en el directorio `objects/`. Clonar un repositorio local sobre el sistema de archivos puede crear enlaces duros a archivos arbitrarios propiedad del usuario en el mismo sistema de archivos en el directorio `objects/` del repositorio Git de destino. Al clonar un repositorio a través del sistema de archivos (sin especificar explícitamente el protocolo `file://` o `--no-local`), se utilizarán las optimizaciones para la clonación local, que incluyen intentar vincular los archivos objeto en lugar de copiarlos. a ellos. Si bien el código incluye verificaciones de enlaces simbólicos en el repositorio de origen, que se agregaron durante la corrección de CVE-2022-39253, estas verificaciones aún se pueden ejecutar porque la operación de enlace físico finalmente sigue enlaces simbólicos. Si el objeto en el sistema de archivos aparece como un archivo durante la verificación, y luego como un enlace simbólico durante la operación, esto permitirá al adversario eludir la verificación y crear vínculos físicos en el directorio de objetos de destino a archivos arbitrarios legibles por el usuario. El problema se solucionó en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4.

A vulnerability was found in Git. This flaw allows an unauthenticated attacker to place a repository on their target's local system that contains symlinks. During the cloning process, Git could be tricked into creating hardlinked arbitrary files into their repository's objects/ directory, impacting availability and integrity.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Maxime Escourbiac and Yassine Bengana discovered that Git incorrectly handled some gettext machinery. An attacker could possibly use this issue to allows the malicious placement of crafted messages. This issue was fixed in Ubuntu 16.04 LTS. It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 18.04 LTS.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-09 CVE Reserved
2024-05-14 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-61: UNIX Symbolic Link (Symlink) Following
CWE-547: Use of Hard-coded, Security-relevant Constants

CAPEC

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/05/14/2
https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32021	2024-07-08
https://bugzilla.redhat.com/show_bug.cgi?id=2280484	2024-07-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.45.0 Search vendor "Git" for product "Git" and version "2.45.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.44.0 Search vendor "Git" for product "Git" and version "2.44.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.43.0 < 2.43.4 Search vendor "Git" for product "Git" and version " >= 2.43.0 < 2.43.4"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.42.0 < 2.42.2 Search vendor "Git" for product "Git" and version " >= 2.42.0 < 2.42.2"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.41.0 Search vendor "Git" for product "Git" and version "2.41.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.40.0 < 2.40.2 Search vendor "Git" for product "Git" and version " >= 2.40.0 < 2.40.2"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				< 2.39.4 Search vendor "Git" for product "Git" and version " < 2.39.4"		en		Affected