We recommend that you don't delay upgrading to version 2.45.1.
On May 14, 2024, a new version of Git — v2.45.1 was released, eliminating five security vulnerabilities at once. This update affects all major platforms: Windows, macOS, Linux, and BSD.
GitHub Desktop and Visual Studio, which include Git components, have also been updated accordingly. Patched vulnerabilities include:
Updating to the latest version is necessary to protect against the vulnerabilities described above. If an update is not possible for some reason, you should take special care when cloning repositories from untrusted sources.
Improving security when cloning Git repositories has become the main agenda of recent updates. Git aims to make cloning safe, even for untrusted repositories, and this feature is now thoroughly documented.
The development team has also added a number of security measures to reduce the likelihood of similar vulnerabilities in the future. Improvements to protect against remote code execution and make script execution more secure are included.
Timely updates to the latest versions are essential to prevent possible attacks on the supply chain and execution of unwanted code.
On May 14, 2024, a new version of Git — v2.45.1 was released, eliminating five security vulnerabilities at once. This update affects all major platforms: Windows, macOS, Linux, and BSD.
GitHub Desktop and Visual Studio, which include Git components, have also been updated accordingly. Patched vulnerabilities include:
- CVE-2024-32002 (CVSS 9.1 rating). Repositories with submodules can cause Git to execute commands from the ".git/ " directory during cloning, which can lead to remote code execution.
- CVE-2024-32004 (CVSS score 8.2). An attacker can create a local repository and use it to execute arbitrary code during cloning.
- CVE-2024-32465 (CVSS rating 7.4). Cloning from ZIP files containing Git repositories can bypass existing defenses, potentially executing unsafe scripts.
- CVE-2024-32020 (CVSS score 3.9). Local clones on the same disk may allow untrusted users to modify files in the object database of the cloned repository.
- CVE-2024-32021 (CVSS score 3.9). Cloning a local repository with symbolic links can lead to hard links to arbitrary files in the "objects/" directory.
Updating to the latest version is necessary to protect against the vulnerabilities described above. If an update is not possible for some reason, you should take special care when cloning repositories from untrusted sources.
Improving security when cloning Git repositories has become the main agenda of recent updates. Git aims to make cloning safe, even for untrusted repositories, and this feature is now thoroughly documented.
The development team has also added a number of security measures to reduce the likelihood of similar vulnerabilities in the future. Improvements to protect against remote code execution and make script execution more secure are included.
Timely updates to the latest versions are essential to prevent possible attacks on the supply chain and execution of unwanted code.
