{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24577", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-25T15:09:40.211Z", "datePublished": "2024-02-06T21:36:12.517Z", "dateUpdated": "2024-08-01T23:19:52.907Z"}, "containers": {"cna": {"title": "libgit2 is vulnerable to arbitrary code execution due to heap corruption in `git_index_add`", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8"}, {"name": "https://github.com/libgit2/libgit2/releases/tag/v1.6.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.6.5"}, {"name": "https://github.com/libgit2/libgit2/releases/tag/v1.7.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.7.2"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html"}], "affected": [{"vendor": "libgit2", "product": "libgit2", "versions": [{"version": "< 1.6.5", "status": "affected"}, {"version": ">= 1.7.0, < 1.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-06T21:36:12.517Z"}, "descriptions": [{"lang": "en", "value": "libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2."}], "source": {"advisory": "GHSA-j2v7-4f6v-gpg8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.907Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8"}, {"name": "https://github.com/libgit2/libgit2/releases/tag/v1.6.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.6.5"}, {"name": "https://github.com/libgit2/libgit2/releases/tag/v1.7.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.7.2"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB8F928B-1059-4B60-877B-AAECE739B575", "versionEndExcluding": "1.6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*", "matchCriteriaId": "E036286C-1FDD-47D7-89BA-5A436B2E72DF", "versionEndExcluding": "1.7.2", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2."}, {"lang": "es", "value": "libgit2 es una implementaci\u00f3n C port\u00e1til de los m\u00e9todos principales de Git proporcionada como una librer\u00eda vinculable con una API s\u00f3lida, que permite incorporar la funcionalidad de Git en su aplicaci\u00f3n. El uso de entradas bien manipuladas para `git_index_add` puede provocar da\u00f1os en el almacenamiento din\u00e1mico que podr\u00edan aprovecharse para la ejecuci\u00f3n de c\u00f3digo arbitrario. Hay un problema en la funci\u00f3n `has_dir_name` en `src/libgit2/index.c`, que libera una entrada que no deber\u00eda liberarse. La entrada liberada se utiliza posteriormente y se sobrescribe con datos controlados por actores potencialmente malos, lo que conduce a una corrupci\u00f3n controlada de almacenamiento din\u00e1mico. Dependiendo de la aplicaci\u00f3n que utilice libgit2, esto podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema se solucion\u00f3 en las versiones 1.6.5 y 1.7.2."}], "id": "CVE-2024-24577", "lastModified": "2024-02-27T10:15:08.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-06T22:16:15.270", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.6.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libgit2/libgit2/releases/tag/v1.7.2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "libgit2: arbitrary code execution due to heap corruption in git_index_add", "id": "2263095", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263095"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.", "A flaw was found in libgit2, a cross-platform, linkable library implementation of Git. A specially crafted payload to git_index_add can cause heap corruption that could be leveraged for arbitrary code execution. The attacker must be able to trigger two consecutive calls to git_index_add with a filename that starts with a / character to exploit this vulnerability. To control the heap corruption, the attacker must be able to control the ctime field of the git_index_entry data structure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-24577", "package_state": [{"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Not affected", "package_name": "rust-toolset-1.66-rust", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libgit2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libgit2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "rust-toolset:rhel8/rust", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24577\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24577"], "statement": "Cargo in Red Hat Enterprise Linux 8 & 9 does use a bundled libgit2. However, cargo does not call git_index_add directly, and the only indirect call I can find is via git_reset, which does not involve any externally-provided paths. Therefore, Red Hat Enterprise Linux should be Not Affected by this CVE.", "threat_severity": "Important", "upstream_fix": "libgit2 1.6.5, libgit2 1.7.2"}