CVE-2022-24975

2022-02-1514:29:59

redhat.com

access.redhat.com

git

gitbleed

–mirror" option

sensitive information

bfg

git-filter-repo

garbage collection

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.9%

JSON

A flaw known as “GitBleed” was found in Git, where repositories cloned via the “–mirror” option may leak secrets or sensitive information if not properly removed/deleted earlier. This flaw allows attackers and bug bounty hunters to use this discrepancy in Git behavior to find hidden secrets and other sensitive data in public repositories.

Mitigation

Organizations can mitigate this by analyzing a fuller copy of their repositories using the “–mirror” option and removing sensitive data using tools like BFG or git-filter-repo. Garbage collection and pruning in git is also recommended.

Organizations should not analyze regular cloned copies (without the “–mirror” option) since that may provide a false sense of security, and should not rely on methods of removing secrets such as deleting a branch or rewinding history via the “git reset” command.