Vulnerability-Lookup

CVE-2005-4900 (GCVE-0-2005-4900)

Vulnerability from cvelistv5 – Published: 2016-10-14 16:00 – Updated: 2026-05-22 16:18

Summary

SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.

Severity

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Assigner

mitre

References

11 references

URL	Tags
https://sites.google.com/site/itstheshappening	x_refsource_MISC
http://www.securityfocus.com/bid/12577	vdb-entryx_refsource_BID
http://shattered.io/	x_refsource_MISC
https://www.schneier.com/blog/archives/2005/08/ne…	x_refsource_MISC
http://www.cwi.nl/news/2017/cwi-and-google-announ…	x_refsource_MISC
http://ia.cr/2007/474	x_refsource_MISC
https://security.googleblog.com/2017/02/announcin…	x_refsource_MISC
https://security.googleblog.com/2015/12/an-update…	x_refsource_MISC
https://www.schneier.com/blog/archives/2005/02/sh…	x_refsource_MISC
https://arstechnica.com/security/2017/02/at-death…	x_refsource_MISC
https://kc.mcafee.com/corporate/index?page=conten…	x_refsource_CONFIRM

Date Public

2005-02-15 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-08T00:01:23.514Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sites.google.com/site/itstheshappening"
          },
          {
            "name": "12577",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/12577"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://shattered.io/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ia.cr/2007/474"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2005-4900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-22T16:17:39.588677Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-327",
                "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T16:18:17.909Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2005-02-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T08:06:17.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sites.google.com/site/itstheshappening"
        },
        {
          "name": "12577",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/12577"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://shattered.io/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://ia.cr/2007/474"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2005-4900",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://sites.google.com/site/itstheshappening",
              "refsource": "MISC",
              "url": "https://sites.google.com/site/itstheshappening"
            },
            {
              "name": "12577",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/12577"
            },
            {
              "name": "http://shattered.io/",
              "refsource": "MISC",
              "url": "http://shattered.io/"
            },
            {
              "name": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html",
              "refsource": "MISC",
              "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html"
            },
            {
              "name": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1",
              "refsource": "MISC",
              "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1"
            },
            {
              "name": "http://ia.cr/2007/474",
              "refsource": "MISC",
              "url": "http://ia.cr/2007/474"
            },
            {
              "name": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html",
              "refsource": "MISC",
              "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html"
            },
            {
              "name": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html",
              "refsource": "MISC",
              "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html"
            },
            {
              "name": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html",
              "refsource": "MISC",
              "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
            },
            {
              "name": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/",
              "refsource": "MISC",
              "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/"
            },
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2005-4900",
    "datePublished": "2016-10-14T16:00:00.000Z",
    "dateReserved": "2016-10-14T00:00:00.000Z",
    "dateUpdated": "2026-05-22T16:18:17.909Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2005-4900",
      "date": "2026-05-27",
      "epss": "0.00198",
      "percentile": "0.41593"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"47.0.2526.111\", \"matchCriteriaId\": \"AFB52550-C3FC-4CDD-AA6E-500BD3304241\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.\"}, {\"lang\": \"es\", \"value\": \"SHA-1 no es resistente a la colisi\\u00f3n, lo que facilita a atacantes dependientes del contexto llevar a cabo ataques de espionaje, como es demostrado por ataques en el uso de SHA-1 en TLS 1.2. NOTA: esta CVE existe para dar un identificador com\\u00fan para referenciar este problema de SHA-1; la existencia de un identificador no es, en si misma, una recomendaci\\u00f3n tecnol\\u00f3gica.\"}]",
      "evaluatorComment": "SHA-1 is likely present in a large number of products across the entire IT sector. The applicability statement for this CVE will be updated when specific products are identified, as time and resources permit.",
      "id": "CVE-2005-4900",
      "lastModified": "2024-11-21T00:05:26.167",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2016-10-14T16:59:00.187",
      "references": "[{\"url\": \"http://ia.cr/2007/474\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://shattered.io/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/12577\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://sites.google.com/site/itstheshappening\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://ia.cr/2007/474\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://shattered.io/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/12577\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://sites.google.com/site/itstheshappening\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-326\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2005-4900\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-10-14T16:59:00.187\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.\"},{\"lang\":\"es\",\"value\":\"SHA-1 no es resistente a la colisi\u00f3n, lo que facilita a atacantes dependientes del contexto llevar a cabo ataques de espionaje, como es demostrado por ataques en el uso de SHA-1 en TLS 1.2. NOTA: esta CVE existe para dar un identificador com\u00fan para referenciar este problema de SHA-1; la existencia de un identificador no es, en si misma, una recomendaci\u00f3n tecnol\u00f3gica.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-326\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"47.0.2526.111\",\"matchCriteriaId\":\"AFB52550-C3FC-4CDD-AA6E-500BD3304241\"}]}]}],\"references\":[{\"url\":\"http://ia.cr/2007/474\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://shattered.io/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/12577\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://sites.google.com/site/itstheshappening\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://ia.cr/2007/474\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://shattered.io/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/12577\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://sites.google.com/site/itstheshappening\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}],\"evaluatorComment\":\"SHA-1 is likely present in a large number of products across the entire IT sector. The applicability statement for this CVE will be updated when specific products are identified, as time and resources permit.\"}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://sites.google.com/site/itstheshappening\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.securityfocus.com/bid/12577\", \"name\": \"12577\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"]}, {\"url\": \"http://shattered.io/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://ia.cr/2007/474\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-08T00:01:23.514Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2005-4900\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-22T16:17:39.588677Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-327\", \"description\": \"CWE-327 Use of a Broken or Risky Cryptographic Algorithm\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-22T16:16:34.456Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"datePublic\": \"2005-02-15T00:00:00.000Z\", \"references\": [{\"url\": \"https://sites.google.com/site/itstheshappening\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.securityfocus.com/bid/12577\", \"name\": \"12577\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"]}, {\"url\": \"http://shattered.io/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://ia.cr/2007/474\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2020-12-09T08:06:17.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"n/a\"}]}, \"vendor_name\": \"n/a\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://sites.google.com/site/itstheshappening\", \"name\": \"https://sites.google.com/site/itstheshappening\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.securityfocus.com/bid/12577\", \"name\": \"12577\", \"refsource\": \"BID\"}, {\"url\": \"http://shattered.io/\", \"name\": \"http://shattered.io/\", \"refsource\": \"MISC\"}, {\"url\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"name\": \"https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"name\": \"http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1\", \"refsource\": \"MISC\"}, {\"url\": \"http://ia.cr/2007/474\", \"name\": \"http://ia.cr/2007/474\", \"refsource\": \"MISC\"}, {\"url\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"name\": \"https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"name\": \"https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"name\": \"https://www.schneier.com/blog/archives/2005/02/sha1_broken.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"name\": \"https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/\", \"refsource\": \"MISC\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"name\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10340\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"n/a\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2005-4900\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve@mitre.org\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2005-4900\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-22T16:18:17.909Z\", \"dateReserved\": \"2016-10-14T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2016-10-14T16:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2024:11377-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

libsha1detectcoll-devel-1.0.3-4.12 on GA media

Severity

Moderate

Notes

Title of the patch: libsha1detectcoll-devel-1.0.3-4.12 on GA media

Description of the patch: These are all security issues fixed in the libsha1detectcoll-devel-1.0.3-4.12 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-11377

CVE-2005-4900

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.x86_64	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2005-4900/	self
https://www.suse.com/security/cve/CVE-2005-4900	external
https://bugzilla.suse.com/1026646	external
https://bugzilla.suse.com/1026936	external
https://bugzilla.suse.com/1042640	external
https://bugzilla.suse.com/1150998	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "libsha1detectcoll-devel-1.0.3-4.12 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the libsha1detectcoll-devel-1.0.3-4.12 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11377",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11377-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2005-4900 page",
        "url": "https://www.suse.com/security/cve/CVE-2005-4900/"
      }
    ],
    "title": "libsha1detectcoll-devel-1.0.3-4.12 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11377-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libsha1detectcoll-devel-1.0.3-4.12.aarch64",
                "product": {
                  "name": "libsha1detectcoll-devel-1.0.3-4.12.aarch64",
                  "product_id": "libsha1detectcoll-devel-1.0.3-4.12.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libsha1detectcoll1-1.0.3-4.12.aarch64",
                "product": {
                  "name": "libsha1detectcoll1-1.0.3-4.12.aarch64",
                  "product_id": "libsha1detectcoll1-1.0.3-4.12.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "sha1collisiondetection-1.0.3-4.12.aarch64",
                "product": {
                  "name": "sha1collisiondetection-1.0.3-4.12.aarch64",
                  "product_id": "sha1collisiondetection-1.0.3-4.12.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
                "product": {
                  "name": "libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
                  "product_id": "libsha1detectcoll-devel-1.0.3-4.12.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libsha1detectcoll1-1.0.3-4.12.ppc64le",
                "product": {
                  "name": "libsha1detectcoll1-1.0.3-4.12.ppc64le",
                  "product_id": "libsha1detectcoll1-1.0.3-4.12.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "sha1collisiondetection-1.0.3-4.12.ppc64le",
                "product": {
                  "name": "sha1collisiondetection-1.0.3-4.12.ppc64le",
                  "product_id": "sha1collisiondetection-1.0.3-4.12.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libsha1detectcoll-devel-1.0.3-4.12.s390x",
                "product": {
                  "name": "libsha1detectcoll-devel-1.0.3-4.12.s390x",
                  "product_id": "libsha1detectcoll-devel-1.0.3-4.12.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libsha1detectcoll1-1.0.3-4.12.s390x",
                "product": {
                  "name": "libsha1detectcoll1-1.0.3-4.12.s390x",
                  "product_id": "libsha1detectcoll1-1.0.3-4.12.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "sha1collisiondetection-1.0.3-4.12.s390x",
                "product": {
                  "name": "sha1collisiondetection-1.0.3-4.12.s390x",
                  "product_id": "sha1collisiondetection-1.0.3-4.12.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libsha1detectcoll-devel-1.0.3-4.12.x86_64",
                "product": {
                  "name": "libsha1detectcoll-devel-1.0.3-4.12.x86_64",
                  "product_id": "libsha1detectcoll-devel-1.0.3-4.12.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libsha1detectcoll1-1.0.3-4.12.x86_64",
                "product": {
                  "name": "libsha1detectcoll1-1.0.3-4.12.x86_64",
                  "product_id": "libsha1detectcoll1-1.0.3-4.12.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "sha1collisiondetection-1.0.3-4.12.x86_64",
                "product": {
                  "name": "sha1collisiondetection-1.0.3-4.12.x86_64",
                  "product_id": "sha1collisiondetection-1.0.3-4.12.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll-devel-1.0.3-4.12.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.aarch64"
        },
        "product_reference": "libsha1detectcoll-devel-1.0.3-4.12.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll-devel-1.0.3-4.12.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.ppc64le"
        },
        "product_reference": "libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll-devel-1.0.3-4.12.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.s390x"
        },
        "product_reference": "libsha1detectcoll-devel-1.0.3-4.12.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll-devel-1.0.3-4.12.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.x86_64"
        },
        "product_reference": "libsha1detectcoll-devel-1.0.3-4.12.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll1-1.0.3-4.12.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.aarch64"
        },
        "product_reference": "libsha1detectcoll1-1.0.3-4.12.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll1-1.0.3-4.12.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.ppc64le"
        },
        "product_reference": "libsha1detectcoll1-1.0.3-4.12.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll1-1.0.3-4.12.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.s390x"
        },
        "product_reference": "libsha1detectcoll1-1.0.3-4.12.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libsha1detectcoll1-1.0.3-4.12.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.x86_64"
        },
        "product_reference": "libsha1detectcoll1-1.0.3-4.12.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "sha1collisiondetection-1.0.3-4.12.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.aarch64"
        },
        "product_reference": "sha1collisiondetection-1.0.3-4.12.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "sha1collisiondetection-1.0.3-4.12.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.ppc64le"
        },
        "product_reference": "sha1collisiondetection-1.0.3-4.12.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "sha1collisiondetection-1.0.3-4.12.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.s390x"
        },
        "product_reference": "sha1collisiondetection-1.0.3-4.12.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "sha1collisiondetection-1.0.3-4.12.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.x86_64"
        },
        "product_reference": "sha1collisiondetection-1.0.3-4.12.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2005-4900",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2005-4900"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.aarch64",
          "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
          "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.s390x",
          "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.x86_64",
          "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.aarch64",
          "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.ppc64le",
          "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.s390x",
          "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.x86_64",
          "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.aarch64",
          "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.ppc64le",
          "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.s390x",
          "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2005-4900",
          "url": "https://www.suse.com/security/cve/CVE-2005-4900"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1026646 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1026646"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1026936 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1026936"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1042640 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1042640"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1150998 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1150998"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.x86_64",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.x86_64",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:libsha1detectcoll-devel-1.0.3-4.12.x86_64",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:libsha1detectcoll1-1.0.3-4.12.x86_64",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.aarch64",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.ppc64le",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.s390x",
            "openSUSE Tumbleweed:sha1collisiondetection-1.0.3-4.12.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2005-4900"
    }
  ]
}

SUSE-SU-2025:20049-1

Vulnerability from csaf_suse - Published: 2025-02-03 08:55 - Updated: 2025-02-03 08:55

Summary

Security update for git

Severity

Important

Notes

Title of the patch: Security update for git

Description of the patch: This update for git fixes the following issues: git was updated to 2.45.1: * CVE-2024-32002: recursive clones on case-insensitive filesystems that support symbolic links are susceptible to case confusion (bsc#1224168) * CVE-2024-32004: arbitrary code execution during local clones (bsc#1224170) * CVE-2024-32020: file overwriting vulnerability during local clones (bsc#1224171) * CVE-2024-32021: git may create hardlinks to arbitrary user- readable files (bsc#1224172) * CVE-2024-32465: arbitrary code execution during clone operations (bsc#1224173) Update to 2.45.0: * Improved efficiency managing repositories with many references ("git init --ref-format=reftable") * "git checkout -p" and friends learned that that "@" is a synonym for "HEAD" * cli improvements handling refs * Expanded a number of commands and options, UI improvements * status.showUntrackedFiles now accepts "true" * git-cherry-pick(1) now automatically drops redundant commits with new --empty option * The userdiff patterns for C# has been updated. Update to 2.44.0: * "git checkout -B <branch>" now longer allows switching to a branch that is in use on another worktree. The users need to use "--ignore-other-worktrees" option. * Faster server-side rebases with git replay * Faster pack generation with multi-pack reuse * rebase auto-squashing now works in non-interactive mode * pathspec now understands attr, e.g. ':(attr:~binary) for selecting non-binaries, or builtin_objectmode for selecting items by file mode or other properties * Many other cli UI and internal improvements and extensions - Do not replace apparmor configuration, fixes bsc#1216545 Update to 2.43.2: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.txt * Update to a new feature recently added, "git show-ref --exists". * Rename detection logic ignored the final line of a file if it is an incomplete line. * "git diff --no-rename A B" did not disable rename detection but did not trigger an error from the command line parser. * "git diff --no-index file1 file2" segfaulted while invoking the external diff driver, which has been corrected. * A failed "git tag -s" did not necessarily result in an error depending on the crypto backend, which has been corrected. * "git stash" sometimes was silent even when it failed due to unwritable index file, which has been corrected. * Recent conversion to allow more than 0/1 in GIT_FLUSH broke the mechanism by flipping what yes/no means by mistake, which has been corrected. Update to 2.43.1: * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.txt - gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664) - git moved to /usr/libexec/git/git, update AppArmor profile accordingly (bsc#1218588) Update to 2.43.0: * The "--rfc" option of "git format-patch" used to be a valid way to override an earlier "--subject-prefix=<something>" on the command line and replace it with "[RFC PATCH]", but from this release, it merely prefixes the string "RFC " in front of the given subject prefix. If you are negatively affected by this change, please use "--subject-prefix=PATCH --rfc" as a replacement. * In Git 2.42, "git rev-list --stdin" learned to take non-revisions (like "--not") from the standard input, but the way such a "--not" was handled was quite confusing, which has been rethought. The updated rule is that "--not" given from the command line only affects revs given from the command line that comes but not revs read from the standard input, and "--not" read from the standard input affects revs given from the standard input and not revs given from the command line. * A message written in olden time prevented a branch from getting checked out, saying it is already checked out elsewhere. But these days, we treat a branch that is being bisected or rebased just like a branch that is checked out and protect it from getting modified with the same codepath. The message has been rephrased to say that the branch is "in use" to avoid confusion. * Hourly and other schedules of "git maintenance" jobs are randomly distributed now. * "git cmd -h" learned to signal which options can be negated by listing such options like "--[no-]opt". * The way authentication related data other than passwords (e.g., oauth token and password expiration data) are stored in libsecret keyrings has been rethought. * Update the libsecret and wincred credential helpers to correctly match which credential to erase; they erased the wrong entry in some cases. * Git GUI updates. * "git format-patch" learned a new "--description-file" option that lets cover letter description to be fed; this can be used on detached HEAD where there is no branch description available, and also can override the branch description if there is one. * Use of the "--max-pack-size" option to allow multiple packfiles to be created is now supported even when we are sending unreachable objects to cruft packs. * "git format-patch --rfc --subject-prefix=<foo>" used to ignore the "--subject-prefix" option and used "[RFC PATCH]"; now we will add "RFC" prefix to whatever subject prefix is specified. * "git log --format" has been taught the %(decorate) placeholder for further customization over what the "--decorate" option offers. * The default log message created by "git revert", when reverting a commit that records a revert, has been tweaked, to encourage people to describe complex "revert of revert of revert" situations better in their own words. * The command-line completion support (in contrib/) learned to complete "git commit --trailer=" for possible trailer keys. * "git update-index" learned the "--show-index-version" option to inspect the index format version used by the on-disk index file. * "git diff" learned the "diff.statNameWidth" configuration variable, to give the default width for the name part in the "--stat" output. * "git range-diff --notes=foo" compared "log --notes=foo --notes" of the two ranges, instead of using just the specified notes tree, which has been corrected to use only the specified notes tree. * The command line completion script (in contrib/) can be told to complete aliases by including ": git <cmd> ;" in the alias to tell it that the alias should be completed in a similar way to how "git <cmd>" is completed. The parsing code for the alias has been loosened to allow ';' without an extra space before it. * "git for-each-ref" and friends learned to apply mailmap to authorname and other fields in a more flexible way than using separate placeholder letters like %a[eElL] every time we want to come up with small variants. * "git repack" machinery learned to pay attention to the "--filter=" option. * "git repack" learned the "--max-cruft-size" option to prevent cruft packs from growing without bounds. * "git merge-tree" learned to take strategy backend specific options via the "-X" option, like "git merge" does. * "git log" and friends learned the "--dd" option that is a short-hand for "--diff-merges=first-parent -p". * The attribute subsystem learned to honor the "attr.tree" configuration variable that specifies which tree to read the .gitattributes files from. * "git merge-file" learns a mode to read three variants of the contents to be merged from blob objects. * see https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.0.txt Update 2.42.1: * Fix "git diff" exit code handling

Patchnames: SUSE-SLE-Micro-6.0-48

CVE-2005-4900

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2017-14867

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-32002

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-32004

8.1 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-32020

3.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-32021

3.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-32465

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 9 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

References

45 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1042640	self
https://bugzilla.suse.com/1061041	self
https://bugzilla.suse.com/1069468	self
https://bugzilla.suse.com/1082023	self
https://bugzilla.suse.com/1216545	self
https://bugzilla.suse.com/1218588	self
https://bugzilla.suse.com/1218664	self
https://bugzilla.suse.com/1224168	self
https://bugzilla.suse.com/1224170	self
https://bugzilla.suse.com/1224171	self
https://bugzilla.suse.com/1224172	self
https://bugzilla.suse.com/1224173	self
https://bugzilla.suse.com/779536	self
https://www.suse.com/security/cve/CVE-2005-4900/	self
https://www.suse.com/security/cve/CVE-2017-14867/	self
https://www.suse.com/security/cve/CVE-2024-32002/	self
https://www.suse.com/security/cve/CVE-2024-32004/	self
https://www.suse.com/security/cve/CVE-2024-32020/	self
https://www.suse.com/security/cve/CVE-2024-32021/	self
https://www.suse.com/security/cve/CVE-2024-32465/	self
https://www.suse.com/security/cve/CVE-2005-4900	external
https://bugzilla.suse.com/1026646	external
https://bugzilla.suse.com/1026936	external
https://bugzilla.suse.com/1042640	external
https://bugzilla.suse.com/1150998	external
https://www.suse.com/security/cve/CVE-2017-14867	external
https://bugzilla.suse.com/1060377	external
https://bugzilla.suse.com/1060378	external
https://bugzilla.suse.com/1061041	external
https://www.suse.com/security/cve/CVE-2024-32002	external
https://bugzilla.suse.com/1224168	external
https://bugzilla.suse.com/1224170	external
https://www.suse.com/security/cve/CVE-2024-32004	external
https://bugzilla.suse.com/1224170	external
https://www.suse.com/security/cve/CVE-2024-32020	external
https://bugzilla.suse.com/1224171	external
https://www.suse.com/security/cve/CVE-2024-32021	external
https://bugzilla.suse.com/1224172	external
https://www.suse.com/security/cve/CVE-2024-32465	external
https://bugzilla.suse.com/1224170	external
https://bugzilla.suse.com/1224173	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for git",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for git fixes the following issues:\n\ngit was updated to 2.45.1:\n\n * CVE-2024-32002: recursive clones on case-insensitive\n   filesystems that support symbolic links are susceptible to case\n   confusion (bsc#1224168)\n * CVE-2024-32004: arbitrary code execution during local clones\n   (bsc#1224170)\n * CVE-2024-32020: file overwriting vulnerability during local\n   clones (bsc#1224171)\n * CVE-2024-32021: git may create hardlinks to arbitrary user-\n   readable files (bsc#1224172)\n * CVE-2024-32465: arbitrary code execution during clone operations\n   (bsc#1224173)\n\nUpdate to 2.45.0:\n\n  * Improved efficiency managing repositories with many references\n    (\"git init --ref-format=reftable\")\n  * \"git checkout -p\" and friends learned that that \"@\" is a\n    synonym for \"HEAD\"\n  * cli improvements handling refs\n  * Expanded a number of commands and options, UI improvements\n  * status.showUntrackedFiles now accepts \"true\"\n  * git-cherry-pick(1) now automatically drops redundant commits\n    with new --empty option\n  * The userdiff patterns for C# has been updated.\n\nUpdate to 2.44.0:\n\n  * \"git checkout -B \u003cbranch\u003e\" now longer allows switching to a\n    branch that is in use on another worktree. The users need to\n    use \"--ignore-other-worktrees\" option.\n  * Faster server-side rebases with git replay\n  * Faster pack generation with multi-pack reuse\n  * rebase auto-squashing now works in non-interactive mode\n  * pathspec now understands attr, e.g. \u0027:(attr:~binary) for\n    selecting non-binaries, or builtin_objectmode for selecting\n    items by file mode or other properties\n  * Many other cli UI and internal improvements and extensions\n\n- Do not replace apparmor configuration, fixes bsc#1216545\n\nUpdate to 2.43.2:\n\n  * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.txt\n  * Update to a new feature recently added, \"git show-ref --exists\".\n  * Rename detection logic ignored the final line of a file if it\n    is an incomplete line.\n  * \"git diff --no-rename A B\" did not disable rename detection but\n    did not trigger an error from the command line parser.\n  * \"git diff --no-index file1 file2\" segfaulted while invoking the\n    external diff driver, which has been corrected.\n  * A failed \"git tag -s\" did not necessarily result in an error\n    depending on the crypto backend, which has been corrected.\n  * \"git stash\" sometimes was silent even when it failed due to\n    unwritable index file, which has been corrected.\n  * Recent conversion to allow more than 0/1 in GIT_FLUSH broke the\n    mechanism by flipping what yes/no means by mistake, which has\n    been corrected.\n\nUpdate to 2.43.1:\n\n  * https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.txt\n\n- gitweb AppArmor profile: allow reading etc/gitweb-common.conf\n  (bsc#1218664)\n\n- git moved to /usr/libexec/git/git, update AppArmor profile\n  accordingly (bsc#1218588)\n\nUpdate to 2.43.0:\n\n * The \"--rfc\" option of \"git format-patch\" used to be a valid way to\n   override an earlier \"--subject-prefix=\u003csomething\u003e\" on the command\n   line and replace it with \"[RFC PATCH]\", but from this release, it\n   merely prefixes the string \"RFC \" in front of the given subject\n   prefix.  If you are negatively affected by this change, please use\n   \"--subject-prefix=PATCH --rfc\" as a replacement.\n * In Git 2.42, \"git rev-list --stdin\" learned to take non-revisions\n   (like \"--not\") from the standard input, but the way such a \"--not\" was\n   handled was quite confusing, which has been rethought.  The updated\n   rule is that \"--not\" given from the command line only affects revs\n   given from the command line that comes but not revs read from the\n   standard input, and \"--not\" read from the standard input affects\n   revs given from the standard input and not revs given from the\n   command line.\n * A message written in olden time prevented a branch from getting\n   checked out, saying it is already checked out elsewhere. But these\n   days, we treat a branch that is being bisected or rebased just like\n   a branch that is checked out and protect it from getting modified\n   with the same codepath.  The message has been rephrased to say that\n   the branch is \"in use\" to avoid confusion.\n * Hourly and other schedules of \"git maintenance\" jobs are randomly\n   distributed now.\n * \"git cmd -h\" learned to signal which options can be negated by\n   listing such options like \"--[no-]opt\".\n * The way authentication related data other than passwords (e.g.,\n   oauth token and password expiration data) are stored in libsecret\n   keyrings has been rethought.\n * Update the libsecret and wincred credential helpers to correctly\n   match which credential to erase; they erased the wrong entry in\n   some cases.\n * Git GUI updates.\n * \"git format-patch\" learned a new \"--description-file\" option that\n   lets cover letter description to be fed; this can be used on\n   detached HEAD where there is no branch description available, and\n   also can override the branch description if there is one.\n * Use of the \"--max-pack-size\" option to allow multiple packfiles to\n   be created is now supported even when we are sending unreachable\n   objects to cruft packs.\n * \"git format-patch --rfc --subject-prefix=\u003cfoo\u003e\" used to ignore the\n   \"--subject-prefix\" option and used \"[RFC PATCH]\"; now we will add\n   \"RFC\" prefix to whatever subject prefix is specified.\n * \"git log --format\" has been taught the %(decorate) placeholder for\n   further customization over what the \"--decorate\" option offers.\n * The default log message created by \"git revert\", when reverting a\n   commit that records a revert, has been tweaked, to encourage people\n   to describe complex \"revert of revert of revert\" situations better in\n   their own words.\n * The command-line completion support (in contrib/) learned to\n   complete \"git commit --trailer=\" for possible trailer keys.\n * \"git update-index\" learned the \"--show-index-version\" option to\n   inspect the index format version used by the on-disk index file.\n * \"git diff\" learned the \"diff.statNameWidth\" configuration variable,\n   to give the default width for the name part in the \"--stat\" output.\n * \"git range-diff --notes=foo\" compared \"log --notes=foo --notes\" of\n   the two ranges, instead of using just the specified notes tree,\n   which has been corrected to use only the specified notes tree.\n * The command line completion script (in contrib/) can be told to\n   complete aliases by including \": git \u003ccmd\u003e ;\" in the alias to tell\n   it that the alias should be completed in a similar way to how \"git\n   \u003ccmd\u003e\" is completed.  The parsing code for the alias has been\n   loosened to allow \u0027;\u0027 without an extra space before it.\n * \"git for-each-ref\" and friends learned to apply mailmap to\n   authorname and other fields in a more flexible way than using\n   separate placeholder letters like %a[eElL] every time we want to\n   come up with small variants.\n * \"git repack\" machinery learned to pay attention to the \"--filter=\"\n   option.\n * \"git repack\" learned the \"--max-cruft-size\" option to prevent cruft\n   packs from growing without bounds.\n * \"git merge-tree\" learned to take strategy backend specific options\n   via the \"-X\" option, like \"git merge\" does.\n * \"git log\" and friends learned the \"--dd\" option that is a\n   short-hand for \"--diff-merges=first-parent -p\".\n * The attribute subsystem learned to honor the \"attr.tree\"\n   configuration variable that specifies which tree to read the\n   .gitattributes files from.\n * \"git merge-file\" learns a mode to read three variants of the\n   contents to be merged from blob objects.\n * see https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.0.txt\n\nUpdate 2.42.1:\n\n  * Fix \"git diff\" exit code handling\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Micro-6.0-48",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20049-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:20049-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520049-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:20049-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021288.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1042640",
        "url": "https://bugzilla.suse.com/1042640"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1061041",
        "url": "https://bugzilla.suse.com/1061041"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1069468",
        "url": "https://bugzilla.suse.com/1069468"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1082023",
        "url": "https://bugzilla.suse.com/1082023"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1216545",
        "url": "https://bugzilla.suse.com/1216545"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218588",
        "url": "https://bugzilla.suse.com/1218588"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218664",
        "url": "https://bugzilla.suse.com/1218664"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224168",
        "url": "https://bugzilla.suse.com/1224168"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224170",
        "url": "https://bugzilla.suse.com/1224170"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224171",
        "url": "https://bugzilla.suse.com/1224171"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224172",
        "url": "https://bugzilla.suse.com/1224172"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1224173",
        "url": "https://bugzilla.suse.com/1224173"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 779536",
        "url": "https://bugzilla.suse.com/779536"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2005-4900 page",
        "url": "https://www.suse.com/security/cve/CVE-2005-4900/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-14867 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-14867/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32002 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32002/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32004 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32004/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32020 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32020/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32021 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32021/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-32465 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-32465/"
      }
    ],
    "title": "Security update for git",
    "tracking": {
      "current_release_date": "2025-02-03T08:55:36Z",
      "generator": {
        "date": "2025-02-03T08:55:36Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:20049-1",
      "initial_release_date": "2025-02-03T08:55:36Z",
      "revision_history": [
        {
          "date": "2025-02-03T08:55:36Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "git-2.45.1-1.1.aarch64",
                "product": {
                  "name": "git-2.45.1-1.1.aarch64",
                  "product_id": "git-2.45.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "git-core-2.45.1-1.1.aarch64",
                "product": {
                  "name": "git-core-2.45.1-1.1.aarch64",
                  "product_id": "git-core-2.45.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "perl-Git-2.45.1-1.1.aarch64",
                "product": {
                  "name": "perl-Git-2.45.1-1.1.aarch64",
                  "product_id": "perl-Git-2.45.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "git-2.45.1-1.1.s390x",
                "product": {
                  "name": "git-2.45.1-1.1.s390x",
                  "product_id": "git-2.45.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "git-core-2.45.1-1.1.s390x",
                "product": {
                  "name": "git-core-2.45.1-1.1.s390x",
                  "product_id": "git-core-2.45.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "perl-Git-2.45.1-1.1.s390x",
                "product": {
                  "name": "perl-Git-2.45.1-1.1.s390x",
                  "product_id": "perl-Git-2.45.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "git-2.45.1-1.1.x86_64",
                "product": {
                  "name": "git-2.45.1-1.1.x86_64",
                  "product_id": "git-2.45.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "git-core-2.45.1-1.1.x86_64",
                "product": {
                  "name": "git-core-2.45.1-1.1.x86_64",
                  "product_id": "git-core-2.45.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "perl-Git-2.45.1-1.1.x86_64",
                "product": {
                  "name": "perl-Git-2.45.1-1.1.x86_64",
                  "product_id": "perl-Git-2.45.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.0",
                "product": {
                  "name": "SUSE Linux Micro 6.0",
                  "product_id": "SUSE Linux Micro 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sl-micro:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-2.45.1-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64"
        },
        "product_reference": "git-2.45.1-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-2.45.1-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x"
        },
        "product_reference": "git-2.45.1-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-2.45.1-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64"
        },
        "product_reference": "git-2.45.1-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-core-2.45.1-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64"
        },
        "product_reference": "git-core-2.45.1-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-core-2.45.1-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x"
        },
        "product_reference": "git-core-2.45.1-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "git-core-2.45.1-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64"
        },
        "product_reference": "git-core-2.45.1-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-Git-2.45.1-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64"
        },
        "product_reference": "perl-Git-2.45.1-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-Git-2.45.1-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x"
        },
        "product_reference": "perl-Git-2.45.1-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "perl-Git-2.45.1-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        },
        "product_reference": "perl-Git-2.45.1-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2005-4900",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2005-4900"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2.  NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2005-4900",
          "url": "https://www.suse.com/security/cve/CVE-2005-4900"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1026646 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1026646"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1026936 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1026936"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1042640 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1042640"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1150998 for CVE-2005-4900",
          "url": "https://bugzilla.suse.com/1150998"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2005-4900"
    },
    {
      "cve": "CVE-2017-14867",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-14867"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-14867",
          "url": "https://www.suse.com/security/cve/CVE-2017-14867"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1060377 for CVE-2017-14867",
          "url": "https://bugzilla.suse.com/1060377"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1060378 for CVE-2017-14867",
          "url": "https://bugzilla.suse.com/1060378"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1061041 for CVE-2017-14867",
          "url": "https://bugzilla.suse.com/1061041"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2017-14867"
    },
    {
      "cve": "CVE-2024-32002",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32002"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule\u0027s worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won\u0027t work. As always, it is best to avoid cloning repositories from untrusted sources.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32002",
          "url": "https://www.suse.com/security/cve/CVE-2024-32002"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224168 for CVE-2024-32002",
          "url": "https://bugzilla.suse.com/1224168"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224170 for CVE-2024-32002",
          "url": "https://bugzilla.suse.com/1224170"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-32002"
    },
    {
      "cve": "CVE-2024-32004",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32004"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32004",
          "url": "https://www.suse.com/security/cve/CVE-2024-32004"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224170 for CVE-2024-32004",
          "url": "https://bugzilla.suse.com/1224170"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-32004"
    },
    {
      "cve": "CVE-2024-32020",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32020"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository\u0027s object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32020",
          "url": "https://www.suse.com/security/cve/CVE-2024-32020"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224171 for CVE-2024-32020",
          "url": "https://bugzilla.suse.com/1224171"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-32020"
    },
    {
      "cve": "CVE-2024-32021",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32021"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository\u0027s `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32021",
          "url": "https://www.suse.com/security/cve/CVE-2024-32021"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224172 for CVE-2024-32021",
          "url": "https://bugzilla.suse.com/1224172"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-32021"
    },
    {
      "cve": "CVE-2024-32465",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-32465"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
          "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-32465",
          "url": "https://www.suse.com/security/cve/CVE-2024-32465"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224170 for CVE-2024-32465",
          "url": "https://bugzilla.suse.com/1224170"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224173 for CVE-2024-32465",
          "url": "https://bugzilla.suse.com/1224173"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:git-core-2.45.1-1.1.x86_64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.aarch64",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.s390x",
            "SUSE Linux Micro 6.0:perl-Git-2.45.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:55:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-32465"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2005-4900 (GCVE-0-2005-4900)

OPENSUSE-SU-2024:11377-1

SUSE-SU-2025:20049-1

Tags

Sightings

Nomenclature