CVE-2024-32004
Git vulnerable to Remote Code Execution while cloning special-crafted local repositories
In short
Git can be tricked into running malicious code when you clone a specially crafted repository. An attacker can embed code in a repository that executes automatically during the cloning process, compromising your computer.
Technical detail
CVE-2024-32004 exploits improper handling of repository initialization in Git versions prior to 2.45.1 and earlier patch versions. The attack vector requires local repository preparation; when a victim clones the malicious repository, arbitrary code executes with the privileges of the cloning user. Affected versions fail to sanitize repository content during clone operations.
Summary generated and translated by AI from the official description.
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
git · gitWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389https://git-scm.com/docs/git-clonehttps://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/http://www.openwall.com/lists/oss-security/2024/05/14/2