{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-09T15:29:35.937Z", "datePublished": "2024-05-14T19:15:28.534Z", "dateUpdated": "2024-08-02T01:59:50.833Z"}, "containers": {"cna": {"title": "Local Git clone may hardlink arbitrary user-readable files into the new repository's \"objects/\" directory", "problemTypes": [{"descriptions": [{"cweId": "CWE-547", "lang": "en", "description": "CWE-547: Use of Hard-coded, Security-relevant Constants", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "affected": [{"vendor": "git", "product": "git", "versions": [{"version": "= 2.45.0", "status": "affected"}, {"version": "= 2.44.0", "status": "affected"}, {"version": ">= 2.43.0, < 2.43.4", "status": "affected"}, {"version": ">= 2.42.0, < 2.42.2", "status": "affected"}, {"version": "= 2.41.0", "status": "affected"}, {"version": ">= 2.40.0, < 2.40.2", "status": "affected"}, {"version": "< 2.39.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T19:15:28.534Z"}, "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4."}], "source": {"advisory": "GHSA-mvxm-9j2h-qjx7", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.39.4", "versionType": "custom"}, {"version": "2.40.0", "status": "affected", "lessThan": "2.40.2", "versionType": "custom"}, {"version": "2.41.0", "status": "affected", "lessThan": "2.41.1", "versionType": "custom"}, {"version": "2.42.0", "status": "affected", "lessThan": "2.42.2", "versionType": "custom"}, {"version": "2.43.0", "status": "affected", "lessThan": "2.43.4", "versionType": "custom"}, {"version": "2.44.0", "status": "affected", "lessThan": "2.44.1", "versionType": "custom"}, {"version": "2.45.0", "status": "affected", "lessThan": "2.45.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-11T20:29:23.147248Z", "id": "CVE-2024-32021", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T20:39:28.890Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:50.833Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "name": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:59:50.833Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32021", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-11T20:29:23.147248Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "0", "lessThan": "2.39.4", "versionType": "custom"}, {"status": "affected", "version": "2.40.0", "lessThan": "2.40.2", "versionType": "custom"}, {"status": "affected", "version": "2.41.0", "lessThan": "2.41.1", "versionType": "custom"}, {"status": "affected", "version": "2.42.0", "lessThan": "2.42.2", "versionType": "custom"}, {"status": "affected", "version": "2.43.0", "lessThan": "2.43.4", "versionType": "custom"}, {"status": "affected", "version": "2.44.0", "lessThan": "2.44.1", "versionType": "custom"}, {"status": "affected", "version": "2.45.0", "lessThan": "2.45.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T20:39:04.278Z"}}], "cna": {"title": "Local Git clone may hardlink arbitrary user-readable files into the new repository's \"objects/\" directory", "source": {"advisory": "GHSA-mvxm-9j2h-qjx7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "= 2.45.0"}, {"status": "affected", "version": "= 2.44.0"}, {"status": "affected", "version": ">= 2.43.0, < 2.43.4"}, {"status": "affected", "version": ">= 2.42.0, < 2.42.2"}, {"status": "affected", "version": "= 2.41.0"}, {"status": "affected", "version": ">= 2.40.0, < 2.40.2"}, {"status": "affected", "version": "< 2.39.4"}]}], "references": [{"url": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "name": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-547", "description": "CWE-547: Use of Hard-coded, Security-relevant Constants"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T19:15:28.534Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32021", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:59:50.833Z", "dateReserved": "2024-04-09T15:29:35.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-14T19:15:28.534Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4."}, {"lang": "es", "value": "Git es un sistema de control de revisiones. Antes de las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4, al clonar un repositorio de origen local que contiene enlaces simb\u00f3licos a trav\u00e9s del sistema de archivos, Git puede crear enlaces duros a archivos arbitrarios legibles por el usuario en el mismo sistema de archivos que el repositorio de destino en el directorio `objects/`. Clonar un repositorio local sobre el sistema de archivos puede crear enlaces duros a archivos arbitrarios propiedad del usuario en el mismo sistema de archivos en el directorio `objects/` del repositorio Git de destino. Al clonar un repositorio a trav\u00e9s del sistema de archivos (sin especificar expl\u00edcitamente el protocolo `file://` o `--no-local`), se utilizar\u00e1n las optimizaciones para la clonaci\u00f3n local, que incluyen intentar vincular los archivos objeto en lugar de copiarlos. a ellos. Si bien el c\u00f3digo incluye verificaciones de enlaces simb\u00f3licos en el repositorio de origen, que se agregaron durante la correcci\u00f3n de CVE-2022-39253, estas verificaciones a\u00fan se pueden ejecutar porque la operaci\u00f3n de enlace f\u00edsico finalmente sigue enlaces simb\u00f3licos. Si el objeto en el sistema de archivos aparece como un archivo durante la verificaci\u00f3n, y luego como un enlace simb\u00f3lico durante la operaci\u00f3n, esto permitir\u00e1 al adversario eludir la verificaci\u00f3n y crear v\u00ednculos f\u00edsicos en el directorio de objetos de destino a archivos arbitrarios legibles por el usuario. El problema se solucion\u00f3 en las versiones 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 y 2.39.4."}], "id": "CVE-2024-32021", "lastModified": "2024-06-26T10:15:12.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T20:15:13.630", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2024/05/14/2"}, {"source": "security-advisories@github.com", "url": "https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-547"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:4084", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.43.5-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-06-25T00:00:00Z"}, {"advisory": "RHSA-2024:4083", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "git-0:2.43.5-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-25T00:00:00Z"}, {"advisory": "RHSA-2024:4368", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "git-0:2.39.5-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-08T00:00:00Z"}], "bugzilla": {"description": "git: symlink bypass", "id": "2280484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280484"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L", "status": "verified"}, "cwe": "CWE-61", "details": ["Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.", "A vulnerability was found in Git. This flaw allows an unauthenticated attacker to place a repository on their target's local system that contains symlinks. During the cloning process, Git could be tricked into creating hardlinked arbitrary files into their repository's objects/ directory, impacting availability and integrity."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-32021", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "git", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-git227-git", "product_name": "Red Hat Software Collections"}], "public_date": "2024-05-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-32021\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-32021\nhttps://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7"], "statement": "While the Git vulnerability described involves the potential creation of hardlinks to arbitrary files during the cloning process, its severity is considered Low due to several mitigating factors. First, successful exploitation relies on the presence of specific conditions, including the use of local cloning over the filesystem and the ability to manipulate symbolic links within the source repository. Secondly, the impact is limited to the creation of hardlinks to user-readable files, which may not necessarily lead to immediate compromise or exploitation of sensitive data. Additionally, the likelihood of exploitation is reduced by the need for direct access to the filesystem where the cloning operation occurs.", "threat_severity": "Low", "upstream_fix": "git 2.45.1, git 2.44.1, git 2.43.4, git 2.42.2, git 2.41.1, git 2.40.2, git 2.39.4"}