x/vulndb: potential Go vuln in github.com/git/git: CVE-2024-32004

[GoVulnBot]

CVE-2024-32004 references github.com/git/git, which may be a Go module.

Description:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-32004
• JSON: https://github.com/CVEProject/cvelist/tree/1835c6fe7398640dea8a087ddc62ac1549c30108/2024/32xxx/CVE-2024-32004.json
• advisory: GHSA-xfc6-vwr8-r389
• fix: git/git@f4aa8c8
• web: https://git-scm.com/docs/git-clone
• Imported by: https://pkg.go.dev/github.com/git/git?tab=importedby

Cross references:

• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-29187 #513 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39253 #1068 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39260 #1069 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-23521 #1499 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-41903 #1500 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-22490 #1562 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-25652 #1739 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-29007 #1741 NOT_GO_CODE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-11008 #2266 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12279 #2272 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-5260 #2304 LEGACY_FALSE_POSITIVE
• Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2021-21300 #2320 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/git/git
      vulnerable_at: 2.45.1+incompatible
      packages:
        - package: git
summary: CVE-2024-32004 in github.com/git/git
cves:
    - CVE-2024-32004
references:
    - advisory: https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
    - fix: https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
    - web: https://git-scm.com/docs/git-clone
source:
    id: CVE-2024-32004

[gopherbot]

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports