Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-05-14T18:40:46.652Z
Updated: 2024-05-14T18:44:50.559Z
Reserved: 2024-04-08T13:48:37.492Z
Link: CVE-2024-32002
JSON object: View
NVD Information
Status : Modified
Published: 2024-05-14T19:15:10.810
Modified: 2024-06-26T10:15:11.863
Link: CVE-2024-32002
JSON object: View
Redhat Information
No data.