CVE-2024-32465

Git's protections for cloning untrusted repositories can be bypassed

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Git es un sistema de control de revisiones. El proyecto Git recomienda evitar trabajar en repositorios que no sean de confianza y, en su lugar, clonarlos primero con `git clone --no-local` para obtener una copia limpia. Git tiene protecciones específicas para que la operación sea segura incluso con un repositorio de origen que no sea de confianza, pero las vulnerabilidades permiten eludir esas protecciones. En el contexto de la clonación de repositorios locales propiedad de otros usuarios, esta vulnerabilidad se cubrió en CVE-2024-32004. Pero hay circunstancias en las que las correcciones para CVE-2024-32004 no son suficientes: por ejemplo, al obtener un archivo `.zip` que contiene una copia completa de un repositorio Git, no se debe confiar en que sea seguro de forma predeterminada, como por ejemplo Los ganchos podrían configurarse para ejecutarse dentro del contexto de ese repositorio. El problema se solucionó en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4. Como workaround, evite utilizar Git en repositorios que se hayan obtenido a través de archivos de fuentes no confiables.

A flaw was found in Git in a full copy of a Git repository. A prerequisite for this vulnerability is for an unauthenticated attacker to place a specialized repository on their target's local system. If the victim were to clone this repository, it could result in arbitrary code execution.

It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code.

*Credits: N/A

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-12 CVE Reserved
2024-05-14 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (9)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/05/14/2
https://git-scm.com/docs/git#_security	X_refsource_misc
https://git-scm.com/docs/git-clone	X_refsource_misc
https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7	X_refsource_misc
https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32465	2024-07-08
https://bugzilla.redhat.com/show_bug.cgi?id=2280446	2024-07-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.45.0 Search vendor "Git" for product "Git" and version "2.45.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.44.0 Search vendor "Git" for product "Git" and version "2.44.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.43.0 < 2.43.4 Search vendor "Git" for product "Git" and version " >= 2.43.0 < 2.43.4"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.42.0 < 2.42.2 Search vendor "Git" for product "Git" and version " >= 2.42.0 < 2.42.2"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				2.41.0 Search vendor "Git" for product "Git" and version "2.41.0"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				>= 2.40.0 < 2.40.2 Search vendor "Git" for product "Git" and version " >= 2.40.0 < 2.40.2"		en		Affected
Git Search vendor "Git"		Git Search vendor "Git" for product "Git"				< 2.39.4 Search vendor "Git" for product "Git" and version " < 2.39.4"		en		Affected