UNIX Hard Link in Git - CVE-2024-32020
Published: June 7, 2024
Vulnerability identifier: #VU91286
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-32020
CWE-ID: CWE-62
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Git
Affected software:
Git
Git
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the original repository.
The vulnerability exists due to insecure hardlink following when working with local clones. Local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user.
How to mitigate CVE-2024-32020
Install updates from vendor's website.