CVE-2024-32002

Updated: 2024-06-26 20:39:46.133628

Description:

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x CRITICAL 9

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS git 1.7.1 9 CRITICAL Not Vulnerable 2024-05-31 10:03:22
CentOS 7 ELS git 1.8.3 9 CRITICAL Not Vulnerable 2024-05-31 10:03:21
CentOS 8.4 ELS git 2.27.0 9 CRITICAL Not Vulnerable 2024-07-01 10:09:51
CentOS 8.5 ELS git 2.27.0 9 CRITICAL Not Vulnerable 2024-07-01 10:09:51
CentOS Stream 8 ELS git 2.43.0 9 CRITICAL Released CLSA-2024:1718028901 2024-06-10 11:21:43
CloudLinux 6 ELS git 1.7.1 9 CRITICAL Not Vulnerable 2024-05-31 10:03:22
CloudLinux 7 ELS git 1.8.3.1 9 CRITICAL Not Vulnerable 2024-07-23 11:58:30
Oracle Linux 6 ELS git 1.7.1 9 CRITICAL Not Vulnerable 2024-05-31 10:03:22
Ubuntu 16.04 ELS git 2.7.4 9 CRITICAL Not Vulnerable 2024-09-23 12:32:57
Ubuntu 18.04 ELS git 2.17.1 9 CRITICAL Released CLSA-2024:1727797025 2024-10-01 14:40:11