{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32004", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-08T13:48:37.493Z", "datePublished": "2024-05-14T18:46:32.192Z", "dateUpdated": "2024-08-09T18:41:23.817Z"}, "containers": {"cna": {"title": "Git vulnerable to Remote Code Execution while cloning special-crafted local repositories", "problemTypes": [{"descriptions": [{"cweId": "CWE-114", "lang": "en", "description": "CWE-114: Process Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"}, {"name": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"}, {"name": "https://git-scm.com/docs/git-clone", "tags": ["x_refsource_MISC"], "url": "https://git-scm.com/docs/git-clone"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": "= 2.45.0", "status": "affected"}, {"version": "= 2.44.0", "status": "affected"}, {"version": ">= 2.43.0, < 2.43.4", "status": "affected"}, {"version": ">= 2.42.0, < 2.42.2", "status": "affected"}, {"version": "= 2.41.0", "status": "affected"}, {"version": ">= 2.40.0, < 2.40.2", "status": "affected"}, {"version": "< 2.39.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T18:46:32.192Z"}, "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources."}], "source": {"advisory": "GHSA-xfc6-vwr8-r389", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:50.824Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"}, {"name": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"}, {"name": "https://git-scm.com/docs/git-clone", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git-scm.com/docs/git-clone"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.45.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.45.0", "status": "affected"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.44.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.44.0", "status": "affected"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.43.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.43.0", "status": "affected", "lessThan": "2.43.4", "versionType": "custom"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.42.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.42.0", "status": "affected", "lessThan": "2.42.2", "versionType": "custom"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.41.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.41.0", "status": "affected"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:2.40.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.40.0", "status": "affected", "lessThan": "2.40.2", "versionType": "custom"}]}, {"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.39.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-15T17:59:29.364044Z", "id": "CVE-2024-32004", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:41:23.817Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "name": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "name": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://git-scm.com/docs/git-clone", "name": "https://git-scm.com/docs/git-clone", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:50.824Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32004", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-15T17:59:29.364044Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:git:git:2.45.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.45.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:2.44.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.44.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:2.43.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.43.0", "lessThan": "2.43.4", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:2.42.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.42.0", "lessThan": "2.42.2", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:2.41.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.41.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:2.40.0:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "2.40.0", "lessThan": "2.40.2", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "0", "lessThan": "2.39.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:41:03.834Z"}}], "cna": {"title": "Git vulnerable to Remote Code Execution while cloning special-crafted local repositories", "source": {"advisory": "GHSA-xfc6-vwr8-r389", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "= 2.45.0"}, {"status": "affected", "version": "= 2.44.0"}, {"status": "affected", "version": ">= 2.43.0, < 2.43.4"}, {"status": "affected", "version": ">= 2.42.0, < 2.42.2"}, {"status": "affected", "version": "= 2.41.0"}, {"status": "affected", "version": ">= 2.40.0, < 2.40.2"}, {"status": "affected", "version": "< 2.39.4"}]}], "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "name": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "name": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8", "tags": ["x_refsource_MISC"]}, {"url": "https://git-scm.com/docs/git-clone", "name": "https://git-scm.com/docs/git-clone", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-114", "description": "CWE-114: Process Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T18:46:32.192Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32004", "state": "PUBLISHED", "dateUpdated": "2024-08-09T18:41:23.817Z", "dateReserved": "2024-04-08T13:48:37.493Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-14T18:46:32.192Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources."}, {"lang": "es", "value": "Git es un sistema de control de revisiones. Antes de las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4, un atacante puede preparar un repositorio local de tal manera que, cuando se clone, ejecute c\u00f3digo arbitrario durante la operaci\u00f3n. El problema se solucion\u00f3 en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4. Como workaround, evite clonar repositorios de fuentes que no sean de confianza."}], "id": "CVE-2024-32004", "lastModified": "2024-06-26T10:15:12.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T19:15:11.377", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"source": "security-advisories@github.com", "url": "https://git-scm.com/docs/git-clone"}, {"source": "security-advisories@github.com", "url": "https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"}, {"source": "security-advisories@github.com", "url": "https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-114"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:4084", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.43.5-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-25T00:00:00Z"}, {"advisory": "RHSA-2024:6028", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "git-0:2.27.0-5.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6028", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "git-0:2.27.0-5.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6028", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "git-0:2.27.0-5.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6027", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "git-0:2.31.8-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6027", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "git-0:2.31.8-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6027", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "git-0:2.31.8-3.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:4579", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "git-0:2.39.5-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-16T00:00:00Z"}, {"advisory": "RHSA-2024:4083", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "git-0:2.43.5-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-25T00:00:00Z"}, {"advisory": "RHSA-2024:6610", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "git-0:2.31.1-6.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-09-11T00:00:00Z"}, {"advisory": "RHSA-2024:4368", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "git-0:2.39.5-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-08T00:00:00Z"}], "bugzilla": {"description": "git: RCE while cloning local repos", "id": "2280428", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280428"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-114", "details": ["Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.", "A vulnerability was found in Git. This vulnerability can be exploited by an unauthenticated attacker who places a specialized repository on the target's local system. If the victim clones this repository, the attacker can execute arbitrary code."], "mitigation": {"lang": "en:us", "value": "Exercise caution when cloning repositories from untrusted sources."}, "name": "CVE-2024-32004", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "git", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Affected", "package_name": "rh-git227-git", "product_name": "Red Hat Software Collections"}], "public_date": "2024-05-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32004\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32004\nhttps://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"], "statement": "This vulnerability, while significant, does not reach Critical severity due to its reliance on local repository manipulation. While it allows attackers to execute arbitrary code during cloning operations, its impact is constrained by the necessity for access to the target's local environment. Critical severity typically involves vulnerabilities that can be exploited remotely or without user interaction. Nonetheless, this issue remains Important as it can lead to unauthorized code execution, potentially compromising the integrity and security of affected systems.\nFuse 7 Karaf uses JGit to manage patches. It's heavily protected by file permissions and RBAC. Unless an attacker have write permissions to Fuse internal git repositories, this vulnerability is not exploitable.", "threat_severity": "Important", "upstream_fix": "git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1, git 2.40.2, git 2.39.4"}