CVE-2024-24575 – CVE-2024-24575 is a vulnerability in libgit2 wh... (How to Fix)

Q: What is the severity of CVE-2024-24575?

CVE-2024-24575 has a CVSS score of 7.5 (HIGH). CVE-2024-24575 is a vulnerability in libgit2 where specially crafted inputs to the git_revparse_single function can cause an infinite loop, leading to denial of service. It may also allow memory access and potential information leakage. Applications using vulnerable libgit2 versions before 1.6.5 or 1.7.2 are affected.

📋 TL;DR

CVE-2024-24575 is a vulnerability in libgit2 where specially crafted inputs to the git_revparse_single function can cause an infinite loop, leading to denial of service. It may also allow memory access and potential information leakage. Applications using vulnerable libgit2 versions before 1.6.5 or 1.7.2 are affected.

💻 Affected Systems

Products:

libgit2
Applications embedding libgit2 library

Versions: Versions 1.4.0 through 1.6.4, and 1.7.0 through 1.7.1

Operating Systems: All platforms where libgit2 is used

Default Config Vulnerable: ⚠️ Yes

Notes: Versions before 1.4.0 are not affected. Applications must use the git_revparse_single function with untrusted input.

📦 What is this software?

Libgit2 by Libgit2

View all CVEs affecting Libgit2 →

Libgit2 by Libgit2

View all CVEs affecting Libgit2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through infinite loop consumption of CPU resources, potential memory exhaustion, and possible information leakage if memory contents are exposed.

🟠

Likely Case

Denial of service causing application unresponsiveness or crashes when processing malicious git revision specifications.

🟢

If Mitigated

Minimal impact if input validation or rate limiting prevents malicious payloads from reaching vulnerable function.

🌐 Internet-Facing: MEDIUM - Applications exposing git functionality to untrusted users could be targeted, but requires specific git operations.

🏢 Internal Only: LOW - Requires authenticated access to trigger the vulnerable function with crafted inputs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to provide crafted inputs to the vulnerable function, typically through git operations. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5 or 1.7.2

Vendor Advisory: https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v

Restart Required: Yes

Instructions:

1. Identify libgit2 version in use. 2. Update to version 1.6.5 or 1.7.2 using package manager or source compilation. 3. Rebuild and restart applications using libgit2.

🔧 Temporary Workarounds

Input validation

all

Validate and sanitize git revision specifications before passing to libgit2 functions

Rate limiting

all

Implement rate limiting on git operations to prevent DoS attacks

🧯 If You Can't Patch

Implement strict input validation for all git revision specifications
Isolate applications using libgit2 behind firewalls with limited network access

🔍 How to Verify

Check if Vulnerable:

Check libgit2 version: pkg-config --modversion libgit2 or check application dependencies

Check Version:

pkg-config --modversion libgit2

Verify Fix Applied:

Confirm version is 1.6.5 or higher, or 1.7.2 or higher

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for git operations
Application crashes related to git_revparse_single
High CPU usage from processes using libgit2

Network Indicators:

Unusual patterns of git protocol requests
Repeated git operations from single sources

SIEM Query:

Process logs for libgit2-related applications showing abnormal resource consumption or crashes

📊 Metadata

CVE ID: CVE-2024-24575

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 6, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24575, you might also want to check these: