CVE-2024-52005

EUVD-2024-46250
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Affected Products (NVD)
VendorProductVersion
gitgit
𝑥
≤ 2.40.4
gitgit
2.41.0 ≤
𝑥
≤ 2.41.3
gitgit
2.42.0 ≤
𝑥
≤ 2.42.4
gitgit
2.43.0 ≤
𝑥
≤ 2.43.6
gitgit
2.44.0 ≤
𝑥
≤ 2.44.3
gitgit
2.45.0 ≤
𝑥
≤ 2.45.3
gitgit
2.46.0 ≤
𝑥
≤ 2.46.3
gitgit
2.47.0 ≤
𝑥
≤ 2.47.1
gitgit
2.48.0 ≤
𝑥
≤ 2.48.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
git
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
forky
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
bionic
deferred
focal
deferred
jammy
deferred
noble
deferred
oracular
ignored
plucky
deferred
questing
deferred
xenial
deferred
Common Weakness Enumeration
References
https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net