CVE-2024-32021

EUVD-2024-29859
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning
will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.9 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
git-scmgit
𝑥
< 2.39.4
git-scmgit
2.40.0 ≤
𝑥
< 2.40.2
git-scmgit
2.42.0 ≤
𝑥
< 2.42.2
git-scmgit
2.43.0 ≤
𝑥
< 2.43.4
git-scmgit
2.41.0
git-scmgit
2.44.0
git-scmgit
2.45.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
gitgit
𝑥
< 2.39.4
ADP
gitgit
2.40.0 ≤
𝑥
< 2.40.2
ADP
gitgit
2.41.0 ≤
𝑥
< 2.41.1
ADP
gitgit
2.42.0 ≤
𝑥
< 2.42.2
ADP
gitgit
2.43.0 ≤
𝑥
< 2.43.4
ADP
gitgit
2.44.0 ≤
𝑥
< 2.44.1
ADP
gitgit
2.45.0 ≤
𝑥
< 2.45.1
ADP
Debian logo
Debian Releases
Debian Product
Codename
git
bookworm
1:2.39.5-0+deb12u2
fixed
bookworm (security)
1:2.39.5-0+deb12u2
fixed
bullseye
vulnerable
bullseye (security)
1:2.30.2-1+deb11u5
fixed
forky
1:2.51.0-1
fixed
sid
1:2.51.0-1
fixed
trixie
1:2.47.3-0+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
bionic
Fixed 1:2.17.1-1ubuntu0.18+esm1
released
focal
Fixed 1:2.25.1-1ubuntu3.12
released
jammy
Fixed 1:2.34.1-1ubuntu1.11
released
mantic
Fixed 1:2.40.1-1ubuntu1.1
released
noble
Fixed 1:2.43.0-1ubuntu7.1
released
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
git
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-arch
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-core
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
git-cvs
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-daemon
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-doc
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-email
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-gui
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-svn
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
git-web
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
gitk
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 12 SP3
2.26.2-27.78.1
fixed
suse enterprise server 12 SP5
2.26.2-27.78.1
fixed
suse enterprise server 15 SP2
2.26.2-150000.56.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
perl-Git
suse enterprise desktop 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise desktop 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise desktop 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise sap 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise sap 15 SP7
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP3
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP4
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP5
2.35.3-150300.10.39.1
fixed
suse enterprise server 15 SP6
2.43.0-150600.3.3.1
fixed
suse enterprise server 15 SP7
2.43.0-150600.3.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
git
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-all
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-core
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-core-doc
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-credential-libsecret
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-daemon
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-email
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-gui
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-instaweb
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-subtree
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
git-svn
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
gitk
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
gitweb
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
perl-Git
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
perl-Git-SVN
RHEL 8
0:2.43.5-1.el8_10
fixed
RHEL 9
0:2.43.5-1.el9_4
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
emacs-git
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
emacs-git-el
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
git
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-all
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-bzr
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
git-core
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-core-debuginfo
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-core-doc
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-credential-libsecret
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-credential-libsecret-debuginfo
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-cvs
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-daemon
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-daemon-debuginfo
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-debuginfo
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-debugsource
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-email
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-gui
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-hg
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
git-instaweb
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-p4
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-subtree
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
git-svn
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
gitk
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
gitweb
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
perl-Git
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
perl-Git-SVN
Amazon Linux 1
0:2.38.4-1.81.amzn1
fixed
Amazon Linux 2
0:2.40.1-1.amzn2.0.3
fixed
Amazon Linux 2023
0:2.40.1-1.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
git
Azure Linux 3.0
0:2.45.2-1.azl3
fixed
CBL-Mariner 2.0
0:2.39.4-1.cm2
fixed