CVE-2024-32002

2024-05-1419:15:10

Debian Security Bug Tracker

security-tracker.debian.org

git

bug

submodule

exploit

security

cloning

repository

unix

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

51.7%

JSON

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule’s worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won’t work. As always, it is best to avoid cloning repositories from untrusted sources.

OSVersionArchitecturePackageVersionFilename
Debian12allgit<= 1:2.39.2-1.1git_1:2.39.2-1.1_all.deb
Debian11allgit<= 1:2.30.2-1+deb11u2git_1:2.30.2-1+deb11u2_all.deb
Debian999allgit< 1:2.45.1-1git_1:2.45.1-1_all.deb
Debian13allgit<= 1:2.43.0-1git_1:2.43.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	git	<= 1:2.39.2-1.1	git_1:2.39.2-1.1_all.deb
Debian	11	all	git	<= 1:2.30.2-1+deb11u2	git_1:2.30.2-1+deb11u2_all.deb
Debian	999	all	git	< 1:2.45.1-1	git_1:2.45.1-1_all.deb
Debian	13	all	git	<= 1:2.43.0-1	git_1:2.43.0-1_all.deb