{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-24975", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T04:29:01.534Z", "dateReserved": "2022-02-11T00:00:00", "datePublished": "2022-02-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-01T09:00:21.488613"}, "descriptions": [{"lang": "en", "value": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"}, {"url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"}, {"url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/"}, {"url": "https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:29:01.534Z"}, "title": "CVE Program Container", "references": [{"url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/", "tags": ["x_transferred"]}, {"url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191", "tags": ["x_transferred"]}, {"url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "0342C612-A603-40D9-B6EF-B8D8D3DAA3A5", "versionEndIncluding": "2.35.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk."}, {"lang": "es", "value": "La documentaci\u00f3n --mirror para Git versiones hasta 2.35.1, no menciona la disponibilidad del contenido eliminado, tambi\u00e9n se conoce como el problema \"GitBleed\". Esto podr\u00eda presentar un riesgo de seguridad si los procesos de auditor\u00eda de divulgaci\u00f3n de informaci\u00f3n dependen de una operaci\u00f3n de clonaci\u00f3n sin la opci\u00f3n --mirror"}], "id": "CVE-2022-24975", "lastModified": "2024-11-21T06:51:29.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T20:15:07.507", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"}, {"source": "cve@mitre.org", "url": "https://lore.kernel.org/git/xmqq4k14qe9g.fsf%40gitster.g/"}, {"source": "cve@mitre.org", "url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "git: The --mirror option for git leaks secret for deleted content, aka the \"GitBleed\"", "id": "2054686", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2054686"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.", "A flaw known as \"GitBleed\" was found in Git, where repositories cloned via the \"\u2013mirror\" option may leak secrets or sensitive information if not properly removed/deleted earlier. This flaw allows attackers and bug bounty hunters to use this discrepancy in Git behavior to find hidden secrets and other sensitive data in public repositories."], "mitigation": {"lang": "en:us", "value": "Organizations can mitigate this by analyzing a fuller copy of their repositories using the \u201c\u2013mirror\u201d option and removing sensitive data using tools like BFG or git-filter-repo. Garbage collection and pruning in git is also recommended.\nOrganizations should not analyze regular cloned copies (without the \u201c\u2013mirror\u201d option) since that may provide a false sense of security, and should not rely on methods of removing secrets such as deleting a branch or rewinding history via the \u201cgit reset\u201d command."}, "name": "CVE-2022-24975", "package_state": [{"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-git227-git", "product_name": "Red Hat Software Collections"}], "public_date": "2022-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24975\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24975\nhttps://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/"], "statement": "The \"GitBleed\" issue can't be fixed, because it requires basic user education and can be fixed only by administrators responsible for individual repositories by analyzing a whole copy of their own repositories using the \u201c\u2013mirror\u201d option and removing sensitive data using tools like BFG or git-filter-repo.", "threat_severity": "Low"}