Published: 06/02/2024 Updated: 22/02/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions prior to 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.

Vulnerable Product	Search on Vulmon	Subscribe to Product
libgit2 libgit2

Debian Bug report logs - #1063415 libgit2: CVE-2024-24575: Denial of service attack in `git_revparse_single` Package: src:libgit2; Maintainer for src:libgit2 is Utkarsh Gupta <utkarsh@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 7 Feb 2024 21:27:02 UTC Severity: important Tags: secur ...

Debian Bug report logs - #1063416 libgit2: CVE-2024-24577: Arbitrary code execution due to heap corruption in `git_index_add` Package: src:libgit2; Maintainer for src:libgit2 is Utkarsh Gupta <utkarsh@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 7 Feb 2024 21:27:13 UTC Severity: grav ...

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application The ...

DescriptionThis CVE is under investigation by Red Hat Product Security ...

CWE-400 https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v https://github.com/libgit2/libgit2/commit/add2dabb3c16aa49b33904dcdc07cd915efc12fa https://github.com/libgit2/libgit2/releases/tag/v1.6.5 https://github.com/libgit2/libgit2/releases/tag/v1.7.2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063415 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2024-2496.html

CVE-2024-24575

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect