Strix
26.1K

CVE-2024-32465

HIGHCVSS 7.8/10EPSS 0.91%

Last modified

CVE-2024-32465 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. EPSS estimates a 0.91% chance of exploitation in the next 30 days.

Description

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Metrics

CVSS 3.1
7.8/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability
0.91%

55.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Git-ScmGit< 2.39.4
Git-ScmGit>= 2.40.0, < 2.40.2
Git-ScmGit>= 2.42.0, < 2.42.2
Git-ScmGit>= 2.43.0, < 2.43.4
Git-ScmGit2.41.0
Git-ScmGit2.44.0
Git-ScmGit2.45.0
FedoraprojectFedora40
DebianDebian Linux10.0
DebianDebian Linux11.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-32465?
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.
How severe is CVE-2024-32465?
CVE-2024-32465 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.91% probability of exploitation in the next 30 days.
How do I fix CVE-2024-32465?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-32465?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST