#VU91287 UNIX symbolic link following in Git - CVE-2024-32021


Vulnerability identifier: #VU91287

Vulnerability risk: Medium

CVSSv4.0: 3.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-32021

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote attacker to compromise the original repository.

The vulnerability exists due to insecure symlink following issue. When cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.0.0 - 2.0.5, 2.1.0 - 2.19.5, 2.2.0 - 2.29.3, 2.3.0 - 2.39.4, 2.4 - 2.45.1, 2.5 - 2.5.6, 2.6 - 2.6.7, 2.7 - 2.7.6, 2.8 - 2.8.6, 2.9 - 2.9.5

External links
https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for git
SUSE update for git
Multiple vulnerabilities in Dell OpenManage Network Integration (OMNI)
Fedora 42 update for swiftlint
Multiple vulnerabilities in Red Hat OpenShift Dev Spaces 3.17
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.9
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
Multiple vulnerabilities in Migration Toolkit for Containers 1.8
Autodesk InfraWorks update for third-party components
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.16