CVE-2024-32002
CVE Details
Last Update
09/15/2024
NIST CVE Summary
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4,
repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing
files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed
while the clone operation is still active, giving the user no opportunity to inspect the code that is being executed.
The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link
support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As
always, it is best to avoid cloning repositories from untrusted sources.
Our Official Summary
A critical vulnerability in Git has recently been published that could lead to remote command injection. The exploitation occurs when the victim clones a malicious repository recursively, which would execute hooks contained in the submodules. The vulnerability lies in the way Git handles symbolic links in repository submodules. There are currently several PoCs with public exploits that expose the vulnerability. This risk of this vulnerability exploited in spectrocloud products is very low.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX 4.4.18
Revision History
- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products