CyberSecurityBoard
Sponsor Register Login

Critical Git vulnerability allows RCE when cloning repositories with submodules

Git is a widely-popular distributed version control system for collaborative software development.
It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions.
Web-based software development platforms GitHub and GitLab are based on Git.
Visual Studio, Microsoft's integrated development environment, has Git tooling built directly into it, and other IDEs rely on it.
CVE-2024-32002 is a critical vulnerability that allows specially crafted Git repositories with submodules to trick Git into writing files into a.git/ directory instead of the submodule's worktree.
CVE-2024-32465 may allow attackers to bypass protections for cloning untrusted repositories, CVE-2024-32020 may allow untrusted users to modify objects in the cloned repository, and CVE-2024-32021 may be used to manipulate Git into writing files outside the Git worktree and outside the.
He also shared that more changes have been made to Git to make the cloning process more secure: improvements to protect against remote code execution, better handling of symbolic links and directories, a more secure way of running hooks, and more.
Fixed versions of Git have been embedded in the latest GitHub Desktop releases.
Fixes for CVE-2024-32002 and CVE-2024-32004 have been implemented in Visual Studio.
The fact that Git is so widely used and repository cloning is a very common operation makes CVE-2024-32004 a significant risk, but updating Git or disabling symbolic link support in it eliminates the possibility of a successful attack.
Perform one of these actions as soon as possible, because creating an exploit and leveraging it is professedly easy.


This Cyber News was published on www.helpnetsecurity.com. Publication date: Fri, 17 May 2024 10:43:06 +0000


Cyber News related to Critical Git vulnerability allows RCE when cloning repositories with submodules

Critical Git vulnerability allows RCE when cloning repositories with submodules - Git is a widely-popular distributed version control system for collaborative software development. It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions. Web-based software development platforms GitHub and ...
1 year ago Helpnetsecurity.com CVE-2024-32002 CVE-2024-32465 CVE-2024-32020 CVE-2024-32021 CVE-2024-32004
CVE-2020-26233 - Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, ...
4 years ago
CVE-2024-50338 - Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the ...
4 months ago Tenable.com
CVE-2022-39253 - Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local ...
1 year ago
CVE-2020-11008 - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open ...
5 years ago
CVE-2023-22490 - Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a ...
1 year ago
FTC soliciting contest submissions to help tackle voice cloning technology - The Federal Trade Commission is now accepting submissions for a contest designed to spur development of products and policies to protect consumers from the malicious use of voice cloning technology, which has been fueled by the advance of ...
1 year ago Therecord.media
CVE-2024-53858 - The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing `git` submodules hosted outside of GitHub.com and ghe.com. ...
6 months ago Tenable.com
CVE-2022-24765 - Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder ...
1 year ago
CVE-2021-21300 - Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be ...
2 years ago
CVE-2022-41953 - Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is ...
2 years ago
CVE-2021-23632 - All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js ...
3 years ago
Hackers ramp up scans for leaked Git tokens and secrets - To mitigate the risks that arise from these scans, it is recommended to block access to .git/ directories, configure web servers to prevent access to hidden files, monitor server logs for suspicious .git/config access, and rotate potentially exposed ...
1 month ago Bleepingcomputer.com Snatch
CVE-2022-24826 - On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does ...
3 years ago
CVE-2024-45405 - `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` ...
8 months ago
CVE-2024-32002 - Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the ...
1 year ago Tenable.com
CVE-2024-35183 - wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl ...
1 year ago
CVE-2022-41903 - Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding ...
1 year ago
CVE-2024-32465 - Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even ...
11 months ago
Deep dive into synthetic voice phishing defense - Voice phishing attacks are an escalating threat and this alarming statistic highlights a pervasive lack of awareness among the general population. At the moment, different techniques are being used by both big and small businesses to fight back ...
1 year ago Cybersecurity-insiders.com
CVE-2023-40590 - GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs ...
1 year ago
Git Update to Address Malicious Activity - What You Need to Know - Git users are being urged to update their software to address a number of malicious activities. According to The Hacker News, the popular distributed version control system, which is used for managing source code revisions and enabling developers to ...
2 years ago Thehackernews.com
CVE-2020-5260 - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials ...
4 years ago
CVE-2025-23040 - GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of ...
4 months ago Tenable.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)