Security News > 2024 > May > Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002)
New versions of Git are out, with fixes for five vulnerabilities, the most critical of which can be used by attackers to remotely execute code during a "Clone" operation.
CVE-2024-32002 is a critical vulnerability that allows specially crafted Git repositories with submodules to trick Git into writing files into a.git/ directory instead of the submodule's worktree.
"This is possible by a combination of confusing Git with a directory and a symbolic link that differs only in case so that Git can write either one, or the other, but not both. This confusion can be used to manipulate Git into writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed," Git for Windows maintainer Johannes Schindelin explained.
CVE-2024-32004 also allows remote code execution, but only on multi-user machines: "An attacker can prepare a local repository so that it looks like a partial clone that is missing an object, so that, when this repository is cloned, Git will execute arbitrary code during the operation with full permissions of the user performing the clone."
CVE-2024-32465 may allow attackers to bypass protections for cloning untrusted repositories, CVE-2024-32020 may allow untrusted users to modify objects in the cloned repository, and CVE-2024-32021 may be used to manipulate Git into writing files outside the Git worktree and outside the.
"Upgrading to the latest Git version is essential to protect against these vulnerabilities. If you cannot update immediately, please be careful from where you clone repositories," Schindelin advised.
News URL
https://www.helpnetsecurity.com/2024/05/16/git-cve-2024-32002/
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-14 | CVE-2024-32465 | Git is a revision control system. | 0.0 |
| 2024-05-14 | CVE-2024-32021 | Git is a revision control system. | 0.0 |
| 2024-05-14 | CVE-2024-32020 | Git is a revision control system. | 0.0 |
| 2024-05-14 | CVE-2024-32004 | Git is a revision control system. | 0.0 |
| 2024-05-14 | CVE-2024-32002 | Link Following vulnerability in GIT Git is a revision control system. | 9.0 |