cbcvebase.
CVE-2024-32002
published 2024-05-14

CVE-2024-32002: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in…

PriorityP269critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
EPSS
25.33%
97.7th percentile
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
applexcode
debiangit< git 1:2.39.5-0+deb12u1 (bookworm)git 1:2.39.5-0+deb12u1 (bookworm)
gitgit< 2.39.42.39.4
gitgit
gitgit
gitgit
gitgit>= 0 < 1:2.30.2-1+deb11u31:2.30.2-1+deb11u3
gitgit>= 0 < 1:2.39.5-0+deb12u11:2.39.5-0+deb12u1
gitgit>= 0 < 1:2.45.1-11:2.45.1-1
gitgit>= 0 < 1:2.45.1-11:2.45.1-1
gitgit>= 0 < 1:2.25.1-1ubuntu3.121:2.25.1-1ubuntu3.12
gitgit>= 0 < 1:2.25.1-1ubuntu3.131:2.25.1-1ubuntu3.13
gitgit>= 0 < 1:2.34.1-1ubuntu1.111:2.34.1-1ubuntu1.11
gitgit>= 0 < 1:2.43.0-1ubuntu7.11:2.43.0-1ubuntu7.1
gitgit>= 0 < 1:2.7.4-0ubuntu1.10+esm81:2.7.4-0ubuntu1.10+esm8
gitgit>= 0 < 1:2.17.1-1ubuntu0.18+esm11:2.17.1-1ubuntu0.18+esm1
gitgit>= 2.40.0 < 2.40.22.40.2
gitgit>= 2.42.0 < 2.42.22.42.2
gitgit>= 2.43.0 < 2.43.42.43.4
jelmerdulwich
msrcmicrosoft_visual_studio_2017_version_15.9
msrcmicrosoft_visual_studio_2019_version_16.11
msrcmicrosoft_visual_studio_2022_version_17.4
msrcmicrosoft_visual_studio_2022_version_17.6
msrcmicrosoft_visual_studio_2022_version_17.8

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector: crafted repository with submodules where the submodule path resolves to `.git/` directory (e.g., `.git/hooks`), allowing attacker-controlled files to be written into the victim's `.git/hooks/` directory with executable bits preserved
  • Dulwich-specific attack path: malicious `.gitmodules` with a submodule `path` set to `.git/hooks` (or any directory inside `.git/`) causes attacker tree contents to be written into `.git/hooks/` with executable mode bits, triggering RCE on any subsequent hook-invoking command
  • Exploitation requires case-insensitive filesystems with symbolic link support enabled; disabling symlinks via `git config --global core.symlinks false` prevents the attack
  • Monitor for `git clone --recurse-submodules` or `porcelain.clone(..., recurse_submodules=True)` operations against untrusted repositories, especially where submodule paths resolve inside `.git/`
  • ·Disabling symbolic link support in Git fully mitigates this attack; enforce `core.symlinks = false` globally on systems that clone untrusted repositories
  • ·Dulwich versions 0.23.2 through <1.2.5 are independently vulnerable via `dulwich.porcelain.submodule_update` and `porcelain.clone(..., recurse_submodules=True)` — patch to 1.2.5 required; Git patches alone do not cover dulwich
  • ·Git fixed versions are 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4; systems running older versions remain vulnerable during recursive clone operations

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
osv9.0CRITICAL
vendor_oracle9.8CRITICAL
vendor_debian9.0CRITICAL
vendor_msrc9.0CRITICAL
vendor_redhat9.0CRITICAL
vendor_ubuntu9.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.