nvd-json-data-feeds/CVE-2024/CVE-2024-520xx/CVE-2024-52005.json

{
  "id": "CVE-2024-52005",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2025-01-15T18:15:24.130",
  "lastModified": "2025-01-15T18:15:24.130",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called \"sideband channel\". These messages will be prefixed with \"remote:\" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources."
    },
    {
      "lang": "es",
      "value": "Git es una herramienta de gesti\u00f3n de c\u00f3digo fuente. Al clonar desde un servidor (o buscar o enviar), los mensajes de informaci\u00f3n o error se transportan desde el proceso Git remoto al cliente a trav\u00e9s del llamado \"sideband channel\". Estos mensajes tendr\u00e1n el prefijo \"remote:\" y se imprimir\u00e1n directamente en la salida de error est\u00e1ndar. Normalmente, esta salida de error est\u00e1ndar est\u00e1 conectada a una terminal que entiende las secuencias de escape ANSI, contra las que Git no protegi\u00f3. La mayor\u00eda de las terminales modernas admiten secuencias de control que pueden ser utilizadas por un actor malintencionado para ocultar y tergiversar informaci\u00f3n, o para enga\u00f1ar al usuario para que ejecute scripts no confiables. Como se solicit\u00f3 en la lista de correo git-security, los parches se est\u00e1n discutiendo en la lista de correo p\u00fablica. Se recomienda a los usuarios que actualicen lo antes posible. Los usuarios que no puedan actualizar deben evitar los clones recursivos a menos que sean de fuentes confiables."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "privilegesRequired": "NONE",
          "userInteraction": "ACTIVE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "subAvailabilityImpact": "NONE",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        },
        {
          "lang": "en",
          "value": "CWE-150"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net",
      "source": "security-advisories@github.com"
    }
  ]
}