Platform
linux
Component
git
Fixed in
2.45.1
2.44.1
2.43.1
2.42.1
2.41.1
2.40.1
2.39.5
CVE-2024-32465 affects Git versions less than or equal to 2.43.0 and prior to 2.43.4. This vulnerability allows attackers to bypass repository protections during cloning operations, potentially leading to unauthorized access to sensitive data. While Git includes safeguards for cloning untrusted repositories, this flaw circumvents those protections. A fix is available in Git version 2.45.1.
This vulnerability arises when cloning local repositories owned by other users, particularly when dealing with .zip files containing repository data. An attacker could craft a malicious repository structure that exploits this bypass, gaining access to files and configurations they shouldn't have. The impact extends beyond simple file access; attackers could potentially modify repository history, inject malicious hooks, or exfiltrate sensitive credentials stored within the repository. This is similar in concept to CVE-2024-32004, but represents a scenario where the previous fix is insufficient.
CVE-2024-32465 was published on May 14, 2024. It is related to CVE-2024-32004, highlighting a broader issue with repository security. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests a moderate probability of exploitation (medium EPSS score). It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Git version 2.45.1 or later. Until the upgrade is possible, avoid cloning repositories from untrusted sources. If you must clone such repositories, consider using the --no-local option to create a clean copy, although this does not fully mitigate the risk. Review and restrict access permissions within your Git repositories to limit the potential impact of a successful exploit. Monitor Git logs for unusual cloning activity or unexpected file modifications.
Actualice Git a la versión 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 o 2.39.4, o superior. Evite usar Git en repositorios obtenidos a través de archivos de fuentes no confiables. Si no puede actualizar inmediatamente, tenga precaución al trabajar con repositorios obtenidos de fuentes no confiables.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32465 is a HIGH severity vulnerability in Git affecting versions ≤2.43.0 and <2.43.4. It allows attackers to bypass repository protections during cloning, potentially exposing sensitive data.
You are affected if you are using Git versions less than or equal to 2.43.0 or prior to 2.43.4. Check your Git version using git --version.
Upgrade to Git version 2.45.1 or later. You can download the latest version from the official Git website.
While public exploits are not widespread, the vulnerability's nature suggests a potential for exploitation, and it's recommended to apply the patch promptly.
Refer to the Git Security Advisory: https://git-scm.com/downloads/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.