CVE-2022-24975

NameCVE-2022-24975
DescriptionThe --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)stretch (security), stretch1:2.11.0-3+deb9u7vulnerable
buster, buster (security)1:2.20.1-2+deb10u3vulnerable
bullseye1:2.30.2-1vulnerable
bookworm1:2.35.1-1vulnerable
sid1:2.36.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsource(unstable)(unfixed)unimportant

Notes

https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/
CVE is specifically about --mirror documentation not mentioning the availability
of deleted content.

Search for package or bug name: Reporting problems