#VU91286 UNIX Hard Link in Git - CVE-2024-32020
Published: June 7, 2024
Vulnerability identifier: #VU91286
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-32020
CWE-ID: CWE-62
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Git
Git
Software vendor:
Git
Git
Description
The vulnerability allows a remote attacker to compromise the original repository.
The vulnerability exists due to insecure hardlink following when working with local clones. Local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user.
Remediation
Install updates from vendor's website.