UNIX Hard Link in Git

#VU91286 UNIX Hard Link in Git

Published: 2024-06-07

Vulnerability identifier: #VU91286

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-32020

CWE-ID: CWE-62

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote attacker to compromise the original repository.

The vulnerability exists due to insecure hardlink following when working with local clones. Local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.45.0 - 2.45.1, 2.44.0 - 2.44.1, 2.43.0 - 2.43.4, 2.42.0 - 2.42.2, 2.41.0 - 2.41.1, 2.40.0 - 2.40.2, 2.39.0 - 2.39.4, 2.30.0 - 2.30.9, 2.3.0 - 2.38.5, 2.37.0 - 2.37.7, 2.36.0 - 2.36.6, 2.35.0 - 2.35.8, 2.34.0 - 2.34.8, 2.33.0 - 2.33.8, 2.32.0 - 2.32.7, 2.31.0 - 2.31.8, 2.21.0 - 2.21.4, 2.22.0 - 2.22.5, 2.23.0 - 2.23.4, 2.24.0 - 2.24.4, 2.25.0 - 2.25.5, 2.26.0 - 2.26.3, 2.27.0 - 2.27.1, 2.28.0 - 2.28.1, 2.29.0 - 2.29.3, 2.17 - 2.17.5, 2.18.0 - 2.18.4, 2.19.0 - 2.19.5, 2.20.0 - 2.20.4, 2.16.0 - 2.16.6, 2.15.0 - 2.15.4, 2.14 - 2.14.6, 2.13 - 2.13.7, 2.2.0 - 2.2.12, 2.12 - 2.12.5, 2.11 - 2.11.4, 2.10 - 2.10.5, 2.9 - 2.9.5, 2.8 - 2.8.6, 2.7 - 2.7.6, 2.6 - 2.6.7, 2.5 - 2.5.6, 2.4 - 2.4.12, 2.1.0 - 2.1.4, 2.0.0 - 2.0.5

External links
http://github.com/git/git/security/advisories/GHSA-5rfh-556j-fhgj
http://github.com/git/git/commit/1204e1a824c34071019fe106348eaa6d88f9528d
http://github.com/git/git/commit/9e65df5eab274bf74c7b570107aacd1303a1e703

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.9

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17

Multiple vulnerabilities in Migration Toolkit for Containers 1.8

Autodesk InfraWorks update for third-party components

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.16

Ubuntu update for git

Debian update for git

Multiple vulnerabilities in Red Hat OpenShift Dev Spaces

Multiple vulnerabilities in Juniper Secure Analytics (JSA)

Multiple vulnerabilities in IBM QRadar SIEM