CVE-2022-24975 - OpenCVE

The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Git-scm	Git

Configuration 1 [-]

cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191
https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/
https://nvd.nist.gov/vuln/detail/CVE-2022-24975
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
https://www.cve.org/CVERecord?id=CVE-2022-24975
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-02-11T00:00:00

Updated: 2024-08-03T04:29:01.534Z

Reserved: 2022-02-11T00:00:00

Link: CVE-2022-24975

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-02-11T20:15:07.507

Modified: 2024-08-03T05:15:53.763

Link: CVE-2022-24975

Redhat

Severity : Low

Publid Date: 2022-02-11T00:00:00Z

Links: CVE-2022-24975 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "0342C612-A603-40D9-B6EF-B8D8D3DAA3A5", "versionEndIncluding": "2.35.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk."}, {"lang": "es", "value": "La documentaci\u00f3n --mirror para Git versiones hasta 2.35.1, no menciona la disponibilidad del contenido eliminado, tambi\u00e9n se conoce como el problema \"GitBleed\". Esto podr\u00eda presentar un riesgo de seguridad si los procesos de auditor\u00eda de divulgaci\u00f3n de informaci\u00f3n dependen de una operaci\u00f3n de clonaci\u00f3n sin la opci\u00f3n --mirror"}], "id": "CVE-2022-24975", "lastModified": "2024-08-03T05:15:53.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T20:15:07.507", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"}, {"source": "cve@mitre.org", "url": "https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/"}, {"source": "cve@mitre.org", "url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "git: The --mirror option for git leaks secret for deleted content, aka the \"GitBleed\"", "id": "2054686", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054686"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.", "A flaw known as \"GitBleed\" was found in Git, where repositories cloned via the \"\u2013mirror\" option may leak secrets or sensitive information if not properly removed/deleted earlier. This flaw allows attackers and bug bounty hunters to use this discrepancy in Git behavior to find hidden secrets and other sensitive data in public repositories."], "mitigation": {"lang": "en:us", "value": "Organizations can mitigate this by analyzing a fuller copy of their repositories using the \u201c\u2013mirror\u201d option and removing sensitive data using tools like BFG or git-filter-repo. Garbage collection and pruning in git is also recommended.\nOrganizations should not analyze regular cloned copies (without the \u201c\u2013mirror\u201d option) since that may provide a false sense of security, and should not rely on methods of removing secrets such as deleting a branch or rewinding history via the \u201cgit reset\u201d command."}, "name": "CVE-2022-24975", "package_state": [{"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-git227-git", "product_name": "Red Hat Software Collections"}], "public_date": "2022-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24975\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24975\nhttps://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"], "statement": "The \"GitBleed\" issue can't be fixed, because it requires basic user education and can be fixed only by administrators responsible for individual repositories by analyzing a whole copy of their own repositories using the \u201c\u2013mirror\u201d option and removing sensitive data using tools like BFG or git-filter-repo.", "threat_severity": "Low"}