Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-32004

Process Control

Published: May 14, 2024 | Modified: Jun 26, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.1 IMPORTANT
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-32004
CWEhttps://cwe.mitre.org/data/definitions/114.html

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Weakness

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 8 RedHat git-0:2.43.5-1.el8_10 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat git-0:2.18.4-5.el8_2 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat git-0:2.27.0-5.el8_4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat git-0:2.27.0-5.el8_4 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat git-0:2.27.0-5.el8_4 *
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support RedHat git-0:2.31.8-3.el8_6 *
Red Hat Enterprise Linux 8.6 Telecommunications Update Service RedHat git-0:2.31.8-3.el8_6 *
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions RedHat git-0:2.31.8-3.el8_6 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat git-0:2.39.5-1.el8_8 *
Red Hat Enterprise Linux 9 RedHat git-0:2.43.5-1.el9_4 *
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions RedHat git-0:2.31.1-6.el9_0 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat git-0:2.39.5-1.el9_2 *
Git Ubuntu devel *
Git Ubuntu esm-infra/bionic *
Git Ubuntu focal *
Git Ubuntu jammy *
Git Ubuntu mantic *
Git Ubuntu noble *
Git Ubuntu upstream *

Extended Description

Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use