CVE-2024-32478

Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0.

CVSS v3 6.9 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.6 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/git-ecosystem/git-credential-manager/commit/d9ac33c5b1478383672b4425f5ecf875a62efba9
https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-3c3g-h9rx-f7vq
https://github.com/git-ecosystem/git-credential-manager/commit/d9ac33c5b1478383672b4425f5ecf875a62efba9
https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-3c3g-h9rx-f7vq

Configurations

No configuration.

History

21 Nov 2024, 09:14

Type	Values Removed	Values Added
References	~~() https://github.com/git-ecosystem/git-credential-manager/commit/d9ac33c5b1478383672b4425f5ecf875a62efba9 -~~	() https://github.com/git-ecosystem/git-credential-manager/commit/d9ac33c5b1478383672b4425f5ecf875a62efba9 -
References	~~() https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-3c3g-h9rx-f7vq -~~	() https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-3c3g-h9rx-f7vq -
Summary		(es) Git Credential Manager (GCM) es un asistente seguro de credenciales Git. Antes de 2.5.0, el paquete Debian no establece la propiedad raíz de los archivos instalados. Esto permite que el usuario 1001 en un sistema multiusuario pueda reemplazar el binario y obtener los privilegios de otros usuarios. Esta vulnerabilidad se solucionó en 2.5.0.

19 Apr 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-19 15:15

Updated : 2024-11-21 09:14

NVD link : CVE-2024-32478

Mitre link : CVE-2024-32478

CVE.ORG link : CVE-2024-32478

JSON object : View

Products Affected

No product.

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

6.9 /10