CVE-2024-32004 - OpenCVE

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/05/14/2
https://git-scm.com/docs/git-clone
https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-14T18:46:32.192Z

Updated: 2024-05-14T18:46:32.192Z

Reserved: 2024-04-08T13:48:37.493Z

Link: CVE-2024-32004

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-05-14T19:15:11.377

Modified: 2024-06-26T10:15:12.050

Link: CVE-2024-32004

JSON object: View

Redhat Information

No data.

CWE

CWE-114

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32004", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-08T13:48:37.493Z", "datePublished": "2024-05-14T18:46:32.192Z", "dateUpdated": "2024-05-14T18:46:32.192Z"}, "containers": {"cna": {"title": "Git vulnerable to Remote Code Execution while cloning special-crafted local repositories", "problemTypes": [{"descriptions": [{"cweId": "CWE-114", "lang": "en", "description": "CWE-114: Process Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"}, {"name": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"}, {"name": "https://git-scm.com/docs/git-clone", "tags": ["x_refsource_MISC"], "url": "https://git-scm.com/docs/git-clone"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": "= 2.45.0", "status": "affected"}, {"version": "= 2.44.0", "status": "affected"}, {"version": ">= 2.43.0, < 2.43.4", "status": "affected"}, {"version": ">= 2.42.0, < 2.42.2", "status": "affected"}, {"version": "= 2.41.0", "status": "affected"}, {"version": ">= 2.40.0, < 2.40.2", "status": "affected"}, {"version": "< 2.39.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T18:46:32.192Z"}, "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources."}], "source": {"advisory": "GHSA-xfc6-vwr8-r389", "discovery": "UNKNOWN"}}}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources."}, {"lang": "es", "value": "Git es un sistema de control de revisiones. Antes de las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4, un atacante puede preparar un repositorio local de tal manera que, cuando se clone, ejecute c\u00f3digo arbitrario durante la operaci\u00f3n. El problema se solucion\u00f3 en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4. Como workaround, evite clonar repositorios de fuentes que no sean de confianza."}], "id": "CVE-2024-32004", "lastModified": "2024-06-26T10:15:12.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T19:15:11.377", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"source": "security-advisories@github.com", "url": "https://git-scm.com/docs/git-clone"}, {"source": "security-advisories@github.com", "url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"}, {"source": "security-advisories@github.com", "url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-114"}], "source": "security-advisories@github.com", "type": "Secondary"}]}