Git has released several bug fixes to address vulnerabilities persist in its product that could allow code execution.
The most critical vulnerability is tracked as CVE-2024-32002, which allows specially crafted Git repositories with submodules to trick Git into writing files into a .git/ directory instead of the submodule’s worktree. With a combination of directory and a symbolic link that differs only in case so that Git can write either one, or the other, but not both. This confusion can be used to manipulate Git into writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.
The next vulnerability tracked as CVE-2024-32004 also allows remote code execution, but only on multi-user machines. An attacker can clone a partial repository, Git will execute arbitrary code during the operation with full permissions of the user performing the clone.
The other vulnerabilities are CVE-2024-32465 may allow attackers to bypass protections for cloning untrusted repositories, CVE-2024-32020 may allow untrusted users to modify objects in the local cloned repository, and CVE-2024-32021 may be used to manipulate Git into writing files outside the Git worktree and outside the .git/ directory.
The vulnerabilities have been patched in Git v2.45.1, v2.44.1, v2.43.4, v2.42.2, v2.41.1, v2.40.2, and v2.39.4.
It is recommended that upgrading to the latest Git version is essential to protect against these vulnerabilities. If upgradation is not possible at this moment, extra care needs to be taken while cloning repositories.
