CVE-2022-24975

Publication date 11 February 2022

Last updated 24 July 2024


Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

7.5 · High

Score breakdown

** DISPUTED ** The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the “GitBleed” issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.

Read the notes from the security team

Status

Package Ubuntu Release Status
git 22.04 LTS jammy Ignored documentation patch only
21.10 impish Ignored end of life
20.04 LTS focal Ignored documentation patch only
18.04 LTS bionic Ignored documentation patch only
16.04 LTS xenial Ignored documentation patch only
14.04 LTS trusty Ignored end of standard support

Notes


eslerm

--mirror appears to work as intended and clearly documents that all refs are copied (which includes deleted branches and git reset data) vendor diputes CVE

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N