Git fixes critical vulnerability exposing RCE when cloning repositories with submodules

The distributed version control system Git released new versions to address five vulnerabilities.

The most critical flaw is tracked as CVE-2024-32002 (CVSS score 9) - impacts Windows and MacOS git versions. This vulnerability allows attackers to trick Git into writing files into a .git/ directory instead of the submodule’s worktree by confusing Git with a directory and a symbolic link that differ only in case. This can manipulate Git into writing a hook that executes while the clone operation is still running, allowing no opportunity for the user to inspect the code being executed.

Other Fixed Vulnerabilities

• CVE-2024-32004 (CVSS score 8.1) Allows remote code execution on multi-user machines by preparing a local repository to look like a partial clone missing an object, enabling arbitrary code execution during the clone operation.

• CVE-2024-32465 (CVSS score 7.3) May allow attackers to bypass protections for cloning untrusted repositories.

• CVE-2024-32020 (CVSS score 3.9) May allow untrusted users to modify objects in the cloned (local) repository.

• CVE-2024-32021 (CVSS score 3.9) May allow manipulation of Git to write files outside the Git worktree and outside the .git/ directory.

Git has fixed the flaws in the following releases:

• Git v2.45.1
• Git v2.44.1
• Git v2.43.4
• Git v2.42.2
• Git v2.41.1
• Git v2.40.2
• Git v2.39.4

Users are strongly advised to upgrade to the latest Git version to protect against these vulnerabilities. If immediate upgrade is not possible, caution is advised when cloning repositories from untrusted sources.

Fixed versions of Git have been embedded in the latest GitHub Desktop releases for Windows and macOS. Fixes for CVE-2024-32002 and CVE-2024-32004 have been implemented in Visual Studio.