x/vulndb: potential Go vuln in github.com/git/git: CVE-2024-32002

[GoVulnBot]

CVE-2024-32002 references github.com/git/git, which may be a Go module.

Description:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-32002
• JSON: https://github.com/CVEProject/cvelist/tree/1835c6fe7398640dea8a087ddc62ac1549c30108/2024/32xxx/CVE-2024-32002.json
• advisory: GHSA-8h77-4q3w-gfgv
• fix: git/git@9706576
• web: https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
• web: https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
• Imported by: https://pkg.go.dev/github.com/git/git?tab=importedby

Cross references:

• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-29187 #513 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39253 #1068 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39260 #1069 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-23521 #1499 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-41903 #1500 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-22490 #1562 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-25652 #1739 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-29007 #1741 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-11008 #2266 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12279 #2272 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-5260 #2304 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2021-21300 #2320 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/git/git
      vulnerable_at: 2.45.1+incompatible
      packages:
        - package: git
summary: CVE-2024-32002 in github.com/git/git
cves:
    - CVE-2024-32002
references:
    - advisory: https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
    - fix: https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
    - web: https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
    - web: https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
source:
    id: CVE-2024-32002

[gopherbot]

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports