CVE-2024-24577

EPSS 0.3%
Published 06.02.2024 22:16:15
Last modified 21.11.2024 08:59:27
Source security-advisories@github.com
Teams watchlist Login
Open Login

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

Affected products Warnungen 0 Metrics 3 CWE 2 References 12

Data is provided by the National Vulnerability Database (NVD)

Libgit2 ≫ Libgit2 Version < 1.6.5

Libgit2 ≫ Libgit2 Version >= 1.7.0 < 1.7.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.529

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

https://github.com/libgit2/libgit2/releases/tag/v1.6.5

Release Notes

https://github.com/libgit2/libgit2/releases/tag/v1.7.2

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/

https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html

https://nvd.nist.gov/vuln/detail/CVE-2024-24577

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24577

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24577

EUVD