CVE-2024-32004

Description

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

CVSS v3.1 Score

8.1

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-114 CWE-114

Affected Products

Vendor	Product	Versions
git-scm	git	< 2.39.4
git-scm	git	2.40.0 — 2.40.2
git-scm	git	2.42.0 — 2.42.2
git-scm	git	2.43.0 — 2.43.4
git-scm	git	All
git-scm	git	All
git-scm	git	All
fedoraproject	fedora	All
debian	debian_linux	All
debian	debian_linux	All

References

Advisories & Patches

https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8 https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389 https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html https://lists.fedoraproject.org/archives/list/[email protected]/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/ https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8 https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389 https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html https://lists.fedoraproject.org/archives/list/[email protected]/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

Other References

http://www.openwall.com/lists/oss-security/2024/05/14/2 https://git-scm.com/docs/git-clone http://www.openwall.com/lists/oss-security/2024/05/14/2 https://git-scm.com/docs/git-clone

Frequently Asked Questions

What is CVE-2024-32004? +

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. It has a CVSS v3.1 base score of 8.1 (HIGH).

How severe is CVE-2024-32004? +

CVE-2024-32004 has a CVSS v3.1 score of 8.1 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-32004? +

CVE-2024-32004 affects products from debian, fedoraproject, git-scm, specifically: debian_linux, fedora, git. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-32004? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-36250 10.0

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) …

CVE-2024-56346 10.0

IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to …

CVE-2024-56347 9.6

IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due …

CVE-2025-36251 9.6

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 nimsh service SSL/TLS implementations could allow a remote attacker …

CVE-2025-1950 9.3

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due …

CVE-2024-25021 8.4

IBM AIX 7.3, VIOS 4.1's Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary …