CVE-2024-32004 Git vulnerable to Remote Code Execution while cloning special-crafted local repositories

2024-05-1418:46:32

CWE-114

GitHub_M

www.cve.org

remote code execution

local repositories

attack

arbitrary code

patched

workaround

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

CNA Affected

[
  {
    "vendor": "git",
    "product": "git",
    "versions": [
      {
        "version": "= 2.45.0",
        "status": "affected"
      },
      {
        "version": "= 2.44.0",
        "status": "affected"
      },
      {
        "version": ">= 2.43.0, < 2.43.4",
        "status": "affected"
      },
      {
        "version": ">= 2.42.0, < 2.42.2",
        "status": "affected"
      },
      {
        "version": "= 2.41.0",
        "status": "affected"
      },
      {
        "version": ">= 2.40.0, < 2.40.2",
        "status": "affected"
      },
      {
        "version": "< 2.39.4",
        "status": "affected"
      }
    ]
  }
]