CVE-2024-32004
published 2024-05-14CVE-2024-32004: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in…
PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.27%
66.2th percentile
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | git | < git 1:2.39.5-0+deb12u1 (bookworm) | git 1:2.39.5-0+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| git-scm | git | < 2.39.4 | 2.39.4 |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | >= 2.40.0 < 2.40.2 | 2.40.2 |
| git-scm | git | >= 2.42.0 < 2.42.2 | 2.42.2 |
| git-scm | git | >= 2.43.0 < 2.43.4 | 2.43.4 |
| git | git | < 2.39.4 | 2.39.4 |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | >= 0 < 1:2.30.2-1+deb11u3 | 1:2.30.2-1+deb11u3 |
| git | git | >= 0 < 1:2.39.5-0+deb12u1 | 1:2.39.5-0+deb12u1 |
| git | git | >= 0 < 1:2.45.1-1 | 1:2.45.1-1 |
| git | git | >= 0 < 1:2.45.1-1 | 1:2.45.1-1 |
| git | git | >= 0 < 1:2.25.1-1ubuntu3.12 | 1:2.25.1-1ubuntu3.12 |
| git | git | >= 0 < 1:2.34.1-1ubuntu1.11 | 1:2.34.1-1ubuntu1.11 |
| git | git | >= 0 < 1:2.43.0-1ubuntu7.1 | 1:2.43.0-1ubuntu7.1 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv9.0CRITICAL
vendor_ubuntu9.0CRITICAL
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Git vulnerabilities
vendor_ubuntu·2024-09-19·CVSS 3.3
CVE-2024-32021 [LOW] Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
Maxime Escourbiac and Yassine Bengana discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. This issue was fixed
in Ubuntu 16.04 LTS. (CVE-2023-25815)
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code. This
issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32004, CVE-2024-32465)
It was discovered that Git incorrectly hand
Ubuntu
Git vulnerabilities
vendor_ubuntu·2024-05-28·CVSS 9.0
CVE-2024-32021 [CRITICAL] Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2024-32004)
It was discovered that Git incorrectly handled local clones with hardlinked
files/directories. An attacker could possibly use this issue to place a
specialized repository on their target's local system. (CVE-2024-32020)
It was discovered that Git incorrectly handled certain symlinks. An attacker
could possibly use this iss
Red Hat
git: RCE while cloning local repos
vendor_redhat·2024-05-14·CVSS 8.1
CVE-2024-32004 [HIGH] CWE-114 git: RCE while cloning local repos
git: RCE while cloning local repos
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
A vulnerability was found in Git. This vulnerability can be exploited by an unauthenticated attacker who places a specialized repository on the target's local system. If the victim clones this repository, the attacker can execute arbitrary code.
Statement: This vulnerability, while significant, does not reach Critical severity due to its reliance on loc
Microsoft
GitHub: CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories
vendor_msrc·2024-05-14·CVSS 8.1
CVE-2024-32004 [HIGH] CWE-36 GitHub: CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories
GitHub: CVE-2024-32004 Remote Code Execution while cloning special-crafted local repositories
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in MinGit software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Visual Studio: Visual Studio
Github: Github
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Release Notes
Reference: http://aka.ms/vs/15/release/latest
Reference
Red Hat
git: additional local RCE
vendor_redhat·2024-05-14·CVSS 8.1
CVE-2024-32465 [HIGH] CWE-22 git: additional local RCE
git: additional local RCE
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The proble
Debian
CVE-2024-32465: git - Git is a revision control system. The Git project recommends to avoid working in...
vendor_debian·2024·CVSS 8.1
CVE-2024-32465 [HIGH] CVE-2024-32465: git - Git is a revision control system. The Git project recommends to avoid working in...
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versi
Debian
CVE-2024-32004: git - Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42...
vendor_debian·2024·CVSS 8.1
CVE-2024-32004 [HIGH] CVE-2024-32004: git - Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42...
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
Scope: local
bookworm: resolved (fixed in 1:2.39.5-0+deb12u1)
bullseye: resolved (fixed in 1:2.30.2-1+deb11u3)
forky: resolved (fixed in 1:2.45.1-1)
sid: resolved (fixed in 1:2.45.1-1)
trixie: resolved (fixed in 1:2.45.1-1)
OSV
git vulnerabilities
osv·2024-09-19·CVSS 2.2
CVE-2023-25815 [LOW] git vulnerabilities
git vulnerabilities
Maxime Escourbiac and Yassine Bengana discovered that Git incorrectly
handled some gettext machinery. An attacker could possibly use this issue
to allows the malicious placement of crafted messages. This issue was fixed
in Ubuntu 16.04 LTS. (CVE-2023-25815)
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code. This
issue was fixed in Ubuntu 18.04 LTS. (CVE-2024-32004, CVE-2024-32465)
It was discovered that Git incorrectly handled local clones with hardlinked
files/directories. An attac
OSV
git vulnerabilities
osv·2024-05-28·CVSS 9.0
CVE-2024-32002 [CRITICAL] git vulnerabilities
git vulnerabilities
It was discovered that Git incorrectly handled certain submodules.
An attacker could possibly use this issue to execute arbitrary code.
This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2024-32002)
It was discovered that Git incorrectly handled certain cloned repositories.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2024-32004)
It was discovered that Git incorrectly handled local clones with hardlinked
files/directories. An attacker could possibly use this issue to place a
specialized repository on their target's local system. (CVE-2024-32020)
It was discovered that Git incorrectly handled certain symlinks. An attacker
could possibly use this issue to impact availability and integrity
creating hardlinked
OSV
CVE-2024-32004: Git is a revision control system
osv·2024-05-14·CVSS 7.8
CVE-2024-32004 [HIGH] CVE-2024-32004: Git is a revision control system
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
OSV
CVE-2024-32465: Git is a revision control system
osv·2024-05-14·CVSS 7.8
CVE-2024-32465 [HIGH] CVE-2024-32465: Git is a revision control system
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versi
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-52726 dulwich: Dulwich: Arbitrary code execution via crafted Git submodules
bugzilla·2026-06-10·CVSS 9.0
CVE-2026-52726 [CRITICAL] CVE-2026-52726 dulwich: Dulwich: Arbitrary code execution via crafted Git submodules
CVE-2026-52726 dulwich: Dulwich: Arbitrary code execution via crafted Git submodules
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `
Bugzilla
CVE-2024-32465 git: additional local RCE
bugzilla·2024-05-14·CVSS 7.8
CVE-2024-32465 [HIGH] CVE-2024-32465 git: additional local RCE
CVE-2024-32465 git: additional local RCE
The Git project recommends to avoid working in untrusted repositories, and instead to clone them first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed.
In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004.
But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository.
Discussion:
Created git tra
Bugzilla
CVE-2024-32004 git: RCE while cloning local repos
bugzilla·2024-05-14·CVSS 7.8
CVE-2024-32004 [HIGH] CVE-2024-32004 git: RCE while cloning local repos
CVE-2024-32004 git: RCE while cloning local repos
An attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation.
Discussion:
Created git tracking bugs for this issue:
Affects: fedora-all [bug 2280429]
---
Created rubygem-dynect_rest tracking bugs for this issue:
Affects: epel-all [bug 2280430]
Created rubygem-rouge tracking bugs for this issue:
Affects: fedora-all [bug 2280431]
Created rubygem-stringex tracking bugs for this issue:
Affects: fedora-all [bug 2280432]
Created swiftlint tracking bugs for this issue:
Affects: fedora-all [bug 2280433]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2024:4084 https://access.redhat.com/errata/RHSA-2024:4084
---
This
Trendmicro
The May 2024 Security Update Review
blogs_trendmicro·2024-05-14·CVSS 7.8
[HIGH] The May 2024 Security Update Review
# The May 2024 Security Update Review
Get the May 2024 security update and review.
By: Dustin Childs
2024/05/14
Read time: ( words)
Save to Folio
Welcome to the second Tuesday of May. As expected, Adobe and Microsoft have released their standard bunch of security patches. Take a break from your regular activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Apple Patches for May 2024
Apple kicked off the May release cycle with a group of updates for their macOS and iOS platforms. Most notable is a fix for CVE-2024-23296 for iOS 16.7.8 and iPadOS 16.7.8. This vulnerability is a memory corruption issue in RTKit that could allow attackers to bypass kernel memory protec
Trendmicro
The May 2024 Security Update Review
blogs_trendmicro·2024-05-14·CVSS 7.8
[HIGH] The May 2024 Security Update Review
## The May 2024 Security Update Review
Get the May 2024 security update and review.
By: Dustin Childs 2024/05/14 Read time: ( words)
Save to Folio
Welcome to the second Tuesday of May. As expected, Adobe and Microsoft have released their standard bunch of security patches. Take a break from your regular activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Apple Patches for May 2024
Apple kicked off the May release cycle with a group of updates for their macOS and iOS platforms. Most notable is a fix for CVE-2024-23296 for iOS 16.7.8 and iPadOS 16.7.8 . This vulnerability is a memory corruption issue in RTKit that could allow attackers to bypass kernel memory prote
Tenable
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
blogs_tenable·2024-05-14·CVSS 8.8
[HIGH] Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
blogs_bleepingcomputer·2024-05-14·CVSS 8.8
[HIGH] Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
## Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
## Lawrence Abrams
17 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
27 Remote Code Execution Vulnerabilities
7 Information Disclosure Vulnerabilities
3 Denial of Service Vulnerabilities
4 Spoofing Vulnerabilities
The total count of 61 flaws does not include 2 Microsoft Edge flaws fixed on May 2nd and four fixed on May 10th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5037771 cumulative update and the Windows 10 KB5037768 update .
## Three zero-days fixed
This month's Patch Tuesday fixes two actively exploited and one publicly disclosed zero-day vulnerabilities.
Microsoft classifies a zero-day as a flaw
http://www.openwall.com/lists/oss-security/2024/05/14/2https://git-scm.com/docs/git-clonehttps://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/http://www.openwall.com/lists/oss-security/2024/05/14/2https://git-scm.com/docs/git-clonehttps://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
2024-05-14
Published