FIVE VULNERABILITIES IN GIT, ONE CRITICAL

A recent report has highlighted the correction of issues in the distributed control system of Git versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, where five vulnerabilities have been eliminated. The most critical vulnerability identified as CVE-2024-32002 poses a significant danger by allowing an attacker to execute their code while cloning through the Git Clone command.

This vulnerability specifically affects file systems that do not differentiate symbol register and support symbolic links, a scenario commonly found in default systems like Windows and MacOS. The attack involves creating a directory and symbolic link in the submodule, differing only in the symbol register, enabling the writing of files to the .git directory instead of the submodule working directory. This unauthorized writing in .git allows attackers to manipulate Hook-calls through .git/hooks and execute arbitrary code during Git Clone operations.

Other vulnerabilities identified include:

  • CVE-2024-32004 where a malicious actor can exploit a custom local repository to execute code during cloning.
  • CVE-2024-32465 allows execution of HOOKs when cloning from zip archives containing full GIT-Ro-Roading.
  • CVE-2024-32020 enables unauthorized file changes in multi-user systems through local repository cloning.
  • CVE-2024-32021 exploiting symbolic
/Reports, release notes, official announcements.