CVE-2022-24975
published 2022-02-11CVE-2022-24975: The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
2.65%
83.7th percentile
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | — | — |
| git-scm | git | <= 2.35.1 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wx8f-p63x-543f: The --mirror documentation for Git through 2
ghsa_unreviewed·2022-02-12
CVE-2022-24975 [HIGH] CWE-668 GHSA-wx8f-p63x-543f: The --mirror documentation for Git through 2
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.
OSV
CVE-2022-24975: The --mirror documentation for Git through 2
osv·2022-02-11·CVSS 7.5
CVE-2022-24975 [HIGH] CVE-2022-24975: The --mirror documentation for Git through 2
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
Red Hat
git: The --mirror option for git leaks secret for deleted content, aka the "GitBleed"
vendor_redhat·2022-02-11·CVSS 7.5
CVE-2022-24975 [HIGH] CWE-200 git: The --mirror option for git leaks secret for deleted content, aka the "GitBleed"
git: The --mirror option for git leaks secret for deleted content, aka the "GitBleed"
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
A flaw known as "GitBleed" was found in Git, where repositories cloned via the "–mirror" option may leak secrets or sensitive information if not properly removed/deleted earlier. This flaw allows attackers and bug bounty hunters to use this discrepancy in Git behavior to find hidden secrets and other
Debian
CVE-2022-24975: git - The --mirror documentation for Git through 2.35.1 does not mention the availabil...
vendor_debian·2022·CVSS 7.5
CVE-2022-24975 [HIGH] CVE-2022-24975: git - The --mirror documentation for Git through 2.35.1 does not mention the availabil...
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/
2022-02-11
Published