CVE-2022-24975

2022-02-1120:15:07

Debian Security Bug Tracker

security-tracker.debian.org

git security risk

information disclosure

gitbleed

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

53.9%

JSON

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the “GitBleed” issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

OSVersionArchitecturePackageVersionFilename
Debian12allgit<= 1:2.39.2-1.1git_1:2.39.2-1.1_all.deb
Debian11allgit<= 1:2.30.2-1+deb11u2git_1:2.30.2-1+deb11u2_all.deb
Debian999allgit<= 1:2.45.2-1git_1:2.45.2-1_all.deb
Debian13allgit<= 1:2.45.2-1git_1:2.45.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	git	<= 1:2.39.2-1.1	git_1:2.39.2-1.1_all.deb
Debian	11	all	git	<= 1:2.30.2-1+deb11u2	git_1:2.30.2-1+deb11u2_all.deb
Debian	999	all	git	<= 1:2.45.2-1	git_1:2.45.2-1_all.deb
Debian	13	all	git	<= 1:2.45.2-1	git_1:2.45.2-1_all.deb