A critical remote code execution vulnerability, identified as CVE-2024-32002, has been discovered in Git’s clone command, posing severe risks to users. Rated with a critical severity score of 9.0, this vulnerability allows attackers to execute remote code due to the improper handling of submodules in case-insensitive filesystems on Windows and macOS. The vulnerability arises from how Git handles directory paths that differ only in case, such as A/modules/x and a/modules/x, treating them as identical. This can be exploited by crafting malicious symlinks within submodules that point to sensitive directories like .git.
The Git security advisory detailed that the vulnerability can be triggered during the cloning process if a malicious repository is crafted to include these symlinks. When a victim clones the repository, Git may follow the symlink, potentially leading to remote code execution on the victim’s system. This critical flaw highlights the importance of secure handling of file paths and symbolic links within repositories.
Git has addressed this vulnerability by releasing patches in versions subsequent to 5.1.8, specifically in version 5.1.9, which was released on April 29, 2024. The fixes include modifications to the clone_submodule function and the addition of a new function, dir_contains_only_dotgit, to ensure directories only contain a .git file or directory before proceeding. These measures prevent the accidental following of malicious symlinks.
Users are strongly advised to update their Git installations to the latest version to mitigate the risks associated with this vulnerability. Patchstack and cybersecurity experts emphasize the need for vigilance in securing repository operations and ensuring that critical updates are applied promptly. This incident underscores the continuous need for security assessments and robust defenses in software development environments to protect against evolving threats.
Reference:
