CVE-2024-32002Path Traversal in GIT

CWE-22Path TraversalCWE-434Unrestricted File UploadCWE-59Link Following19 documents13 sources
Severity
9.0CRITICALNVD
OSV2.2
EPSS
80.4%
top 0.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GIT
Timeline
PublishedMay 14
Latest updateSep 19

Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages4 packages

CVEListV5git/git< 2.39.4+6
NVDgit/git2.40.02.40.2+6
Debiangit/git< 1:2.30.2-1+deb11u3+3
Ubuntugit/git< 1:2.25.1-1ubuntu3.12+5

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
git vulnerabilities2024-09-19
OSV
git vulnerability2024-06-18
OSV
git vulnerabilities2024-05-28
OSV
CVE-2024-32002: Git is a revision control system2024-05-14
CVEList
Git's recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution2024-05-14

📋Vendor Advisories

8
Ubuntu
Git vulnerabilities2024-09-19
Apple
CVE-2024-32002: Xcode 162024-09-16
Ubuntu
Git vulnerability2024-06-18
Ubuntu
Git vulnerabilities2024-05-28
Red Hat
git: Recursive clones RCE2024-05-14

🕵️Threat Intelligence

4
Trendmicro
The May 2024 Security Update Review2024-05-14
Trendmicro
The May 2024 Security Update Review2024-05-14
Tenable
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)2024-05-14
Bleepingcomputer
Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws2024-05-14

📄Research Papers

1
CTF
ippsec-video-index