Skip to main content
Version: latest

CVE-2024-32002

CVE Details

CVE-2024-32002

Last Update

09/15/2024

NIST CVE Summary

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still active, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Our Official Summary

A critical vulnerability in Git has recently been published that could lead to remote command injection. The exploitation occurs when the victim clones a malicious repository recursively, which would execute hooks contained in the submodules. The vulnerability lies in the way Git handles symbolic links in repository submodules. There are currently several PoCs with public exploits that expose the vulnerability. This risk of this vulnerability exploited in spectrocloud products is very low.

CVE Severity

9.0

Status

Ongoing

Affected Products & Versions

  • Palette VerteX 4.4.18

Revision History

  • 1.0 09/15/2024 Initial Publication
  • 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products