CVE-2022-24975

EUVD-2022-29725
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Affected Products (NVD)
VendorProductVersion
git-scmgit
𝑥
≤ 2.35.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
git
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
bionic
ignored
focal
ignored
impish
ignored
jammy
ignored
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191
https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/