CVE-2024-32021 — LOW (3.9) — White Hats Nepal

Q: How severe is CVE-2024-32021?

CVE-2024-32021 has been rated LOW with a CVSS base score of 3.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-32021?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

CVSS Score

3.9

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Git-Scm	Git	< 2.39.4
Fedoraproject	Fedora	40
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-547

References

http://www.openwall.com/lists/oss-security/2024/05/14/2Mailing ListThird Party Advisory
https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7ExploitVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/05/14/2Mailing ListThird Party Advisory
https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7ExploitVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory

FAQ

What is CVE-2024-32021?

CVE-2024-32021 is a vulnerability with a CVSS score of 3.9 (LOW). Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git ma...

How severe is CVE-2024-32021?

CVE-2024-32021 has been rated LOW with a CVSS base score of 3.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-32021?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Fedoraproject Fedora, Debian Debian Linux.