CVE-2024-24575Uncontrolled Resource Consumption in Libgit2

CWE-400Uncontrolled Resource Consumption7 documents6 sources
Severity
7.5HIGHNVD
OSV9.8
EPSS
1.8%
top 17.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Libgit2Debian Libgit2Msrc Azl3 Rust 1.75.0-14 ON Azure Linux 3.0+3 more
Timeline
PublishedFeb 6
Latest updateMar 5

Description

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

debiandebian/libgit2< libgit2 1.5.1+ds-1+deb12u1 (bookworm)
NVDlibgit2/libgit21.4.01.6.5+1
Debianlibgit2/libgit2< 1.5.1+ds-1+deb12u1+2
Ubuntulibgit2/libgit2< 0.28.4+dfsg.1-2ubuntu0.1+3
CVEListV5libgit2/libgit2>= 1.4.0, < 1.6.5, >= 1.7.0, < 1.7.2+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
libgit2 vulnerabilities2024-03-05
OSV
CVE-2024-24575: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality in2024-02-06

📋Vendor Advisories

4
Ubuntu
libgit2 vulnerabilities2024-03-05
Microsoft
libgit2 is vulnerable to a denial of service attack in `git_revparse_single`2024-02-13
Red Hat
libgit2: potential infiniate loop condition in git_revparse_single2024-02-06
Debian
CVE-2024-24575: libgit2 - libgit2 is a portable C implementation of the Git core methods provided as a lin...2024