Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2024-32021

Public on 2024-05-14
Modified on 2024-05-15
Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning
will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Severity
Low
See what this means
CVSS v3 Base Score
3.9
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 git 2024-05-23 21:37 ALAS-2024-1939
Amazon Linux 2 - Core git 2024-05-23 22:04 ALAS2-2024-2548
Amazon Linux 2023 git 2024-05-23 21:49 ALAS2023-2024-623

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.9 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
NVD CVSSv3 3.9 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L