CVE-2024-24577

2024-02-0600:00:00

ubuntu.com

cve-2024-24577

libgit2

git

arbitrary code execution

heap corruption

patch

unix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.2%

JSON

libgit2 is a portable C implementation of the Git core methods provided as
a linkable library with a solid API, allowing to build Git functionality
into your application. Using well-crafted inputs to git_index_add can
cause heap corruption that could be leveraged for arbitrary code execution.
There is an issue in the has_dir_name function in src/libgit2/index.c,
which frees an entry that should not be freed. The freed entry is later
used and overwritten with potentially bad actor-controlled data leading to
controlled heap corruption. Depending on the application that uses libgit2,
this could lead to arbitrary code execution. This issue has been patched in
version 1.6.5 and 1.7.2.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlibgit2< 0.26.0+dfsg.1-1.1ubuntu0.2+esm1UNKNOWN
ubuntu20.04noarchlibgit2< 0.28.4+dfsg.1-2ubuntu0.1UNKNOWN
ubuntu22.04noarchlibgit2< 1.1.0+dfsg.1-4.1ubuntu0.1UNKNOWN
ubuntu23.10noarchlibgit2< 1.5.1+ds-1ubuntu1.1UNKNOWN
ubuntu14.04noarchlibgit2< anyUNKNOWN
ubuntu16.04noarchlibgit2< 0.24.1-2ubuntu0.2+esm2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	libgit2	< 0.26.0+dfsg.1-1.1ubuntu0.2+esm1	UNKNOWN
ubuntu	20.04	noarch	libgit2	< 0.28.4+dfsg.1-2ubuntu0.1	UNKNOWN
ubuntu	22.04	noarch	libgit2	< 1.1.0+dfsg.1-4.1ubuntu0.1	UNKNOWN
ubuntu	23.10	noarch	libgit2	< 1.5.1+ds-1ubuntu1.1	UNKNOWN
ubuntu	14.04	noarch	libgit2	< any	UNKNOWN
ubuntu	16.04	noarch	libgit2	< 0.24.1-2ubuntu0.2+esm2	UNKNOWN