CVE-2024-32021: 
Git vulnerability analysis and mitigation

Git versions prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4 contain a vulnerability where when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory (GitHub Advisory, OSS Security).

When cloning a repository over the filesystem (without explicitly specifying the file:// protocol or --no-local), Git uses optimizations for local cloning, which include attempting to hard link object files instead of copying them. While the code includes checks against symbolic links in the source repository (added during the fix for CVE-2022-39253), these checks can be bypassed through a time-of-check-time-of-use race condition. If an object appears as a file during the check, but becomes a symlink during the operation, an adversary can bypass the check and create hardlinks in the destination objects directory to arbitrary user-readable files (GitHub Advisory).

An adversary can cause the user to hardlink arbitrary files into their repository's objects/ directory. The vulnerability has been assigned a CVSS v3.1 base score of 3.9 (Low) with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L (GitHub Advisory).

The issue has been patched in Git versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Users are advised to upgrade to these patched versions. Note that the defense-in-depth protection in these new Git versions causes a regression when cloning repositories enabled with Git LFS - in such cases, users need to call git lfs pull in the fresh clone (OSS Security).