CVE-2024-32004: 
vulnerability analysis and mitigation

CVE-2024-32004 is a security vulnerability in Git, a widely used revision control system. The vulnerability was discovered and disclosed on May 14, 2024, affecting multiple Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. The issue allows an attacker to prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue stems from insufficient ownership validation during local repository cloning operations. When cloning from somebody else's repositories, it is possible that commands like 'upload-pack' can be overridden in the repository that is about to be cloned, which would then be run in the user's context who started the clone (Git Commit).

The vulnerability allows an attacker to execute arbitrary code in the context of the user performing the clone operation. This can lead to complete system compromise within the user's permission level, affecting the confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in Git versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, users are advised to avoid cloning repositories from untrusted sources. Multiple Linux distributions have also released security updates to address this vulnerability (Debian Advisory, Fedora Update).