CVE-2022-24975 – CVE-2022-24975 (GitBleed) is a documentation is... (How to Fix)

Q: What is the severity of CVE-2022-24975?

CVE-2022-24975 has a CVSS score of 7.5 (HIGH). CVE-2022-24975 (GitBleed) is a documentation issue where Git's --mirror clone option documentation doesn't mention that deleted content remains accessible. This could lead to information disclosure if security audits rely on regular clones instead of mirror clones. Organizations using Git for sensitive repositories are affected.

📋 TL;DR

CVE-2022-24975 (GitBleed) is a documentation issue where Git's --mirror clone option documentation doesn't mention that deleted content remains accessible. This could lead to information disclosure if security audits rely on regular clones instead of mirror clones. Organizations using Git for sensitive repositories are affected.

💻 Affected Systems

Products:

Git

Versions: All versions through 2.35.1

Operating Systems: All platforms running Git

Default Config Vulnerable: ⚠️ Yes

Notes: This is a documentation issue, not a code vulnerability. The behavior exists in all Git versions but was not properly documented.

📦 What is this software?

Git by Git Scm

View all CVEs affecting Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could recover deleted sensitive data (secrets, credentials, proprietary code) from Git repositories that were thought to be securely deleted, leading to data breaches.

🟠

Likely Case

Accidental exposure of deleted content during repository audits or migrations, potentially revealing outdated secrets or internal information.

🟢

If Mitigated

Minimal impact if organizations use proper Git hygiene practices and security controls for repository management.

🌐 Internet-Facing: LOW - This primarily affects internal repository management and requires access to clone repositories.

🏢 Internal Only: MEDIUM - Internal developers or administrators with repository access could inadvertently expose deleted content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires repository access and knowledge of Git commands. This is more of an information disclosure risk than an active exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Git 2.35.2 and later

Vendor Advisory: https://github.com/git/git/security/advisories

Restart Required: No

Instructions:

1. Update Git to version 2.35.2 or later. 2. On Linux: Use package manager (apt-get upgrade git, yum update git, etc.). 3. On Windows: Download latest installer from git-scm.com. 4. On macOS: Use Homebrew (brew upgrade git).

🔧 Temporary Workarounds

Use --mirror for security audits

all

Always use 'git clone --mirror' when performing security audits or repository analysis to ensure deleted content is included.

git clone --mirror <repository-url>

Implement repository cleanup

all

Use Git garbage collection and force-push to permanently remove sensitive deleted content.

git gc --aggressive --prune=now
git push --force

🧯 If You Can't Patch

Train developers and security teams to always use 'git clone --mirror' for security audits and repository analysis
Implement repository scanning tools that check for exposed secrets in Git history and enforce cleanup procedures

🔍 How to Verify

Check if Vulnerable:

Check if Git version is 2.35.1 or earlier and if documentation doesn't mention --mirror includes deleted content

Check Version:

git --version

Verify Fix Applied:

Verify Git version is 2.35.2 or later and documentation has been updated

📡 Detection & Monitoring

Log Indicators:

Unusual git clone patterns, especially without --mirror flag for security audits
Repository access logs showing clones of sensitive repositories

Network Indicators:

Git protocol traffic to sensitive repositories without proper authentication

SIEM Query:

source="git_logs" AND (command="clone" AND NOT command="clone --mirror") AND repository="sensitive_*"

📊 Metadata

CVE ID: CVE-2022-24975

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-668

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191 Exploit,Vendor Advisory
https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ Exploit,Third Party Advisory
https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191 Exploit,Vendor Advisory
https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/
https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24975, you might also want to check these: