CVE-2024-32478 MEDIUM

CVE-2024-32478: Git Credential Manager (GCM)'s Debian package does not set root ownership on installed files

Vendor Git-Ecosystem
Product git-credential-manager
Weakness CWE-732
Published April 19, 2024
Last update August 2, 2024

CVSS base score

6.9/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0.

Key dates

02Disclosure timeline

April 19, 2024 CVE published
August 2, 2024 Record updated