Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2024-32002: ELSA-2024-4083: git security update (IMPORTANT) (Multiple Advisories)

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Oracle Linux: CVE-2024-32002: ELSA-2024-4083: git security update (IMPORTANT) (Multiple Advisories)

Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
05/14/2024
Created
06/27/2024
Added
06/25/2024
Modified
12/03/2024

Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. A vulnerability was found in Git. This vulnerability allows the malicious manipulation of repositories containing submodules, exploiting a bug that enables the writing of files into the .git/ directory instead of the submodule's intended worktree. This manipulation facilitates the execution of arbitrary code during the cloning process, bypassing user inspection and control.

Solution(s)

  • oracle-linux-upgrade-git
  • oracle-linux-upgrade-git-all
  • oracle-linux-upgrade-git-core
  • oracle-linux-upgrade-git-core-doc
  • oracle-linux-upgrade-git-credential-libsecret
  • oracle-linux-upgrade-git-daemon
  • oracle-linux-upgrade-git-email
  • oracle-linux-upgrade-git-gui
  • oracle-linux-upgrade-git-instaweb
  • oracle-linux-upgrade-gitk
  • oracle-linux-upgrade-git-subtree
  • oracle-linux-upgrade-git-svn
  • oracle-linux-upgrade-gitweb
  • oracle-linux-upgrade-perl-git
  • oracle-linux-upgrade-perl-git-svn

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
  • Lightweight Endpoint Agent
  • Live Dashboards
  • Real Risk Prioritization
  • IT-Integrated Remediation Projects
  • Cloud, Virtual, and Container Assessment
  • Integrated Threat Feeds
  • Easy-to-Use RESTful API
  • Automation-Assisted Patching
  • Automated Containment
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;