May 14, 2024 a new version of Git – v2.45.1, eliminating five security vulnerabilities at once. This update affects all the main platforms: Windows, MacOS, Linux and BSD.
GITHUB Desktop and Visual Studio, which include Git components, also released corresponding updates. The corrected vulnerabilities include:
- CVE-2024-32002 (CVSS 9.1 rating). Repositories with the windowse can force Git to execute commands from the Directory “.git/” during cloning, which can lead to remote code execution.
- CVE-2024-32004 (CVSS Assessment 8.2). The attacker can create a local repository and use it to perform arbitrary code when cloning.
- CVE-2024-32465 (Assessment of CVSS 7.4). Cloning from ZIP files containing GIT-re-repositories can bypass existing protection, potentially executing unsafe scripts.
- CVE-2024-32020 (CVSS 3.9 rating). Local clones on one disk can allow unauthorized users to modify files in the object database of a cloned repository.
- CVE-2024-32021 (estimate of CVSS 3.9). Cloning a local repository with symbolic links can lead to the creation of hard links to arbitrary files in the “Objects/” directory.
/Reports, release notes, official announcements.