CVE-2024-32478

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-32478
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32478.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-32478
Aliases
  • GHSA-3c3g-h9rx-f7vq
Published
2024-04-19T14:37:57.617Z
Modified
2025-12-05T04:20:00.314909Z
Severity
  • 6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Git Credential Manager (GCM)'s Debian package does not set root ownership on installed files
Details

Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-732"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32478.json"
}
References

Affected packages

Git / github.com/git-ecosystem/git-credential-manager

Affected ranges

Type
GIT
Repo
https://github.com/git-ecosystem/git-credential-manager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d34930736e131ad80e5690e5634ced1808aff3e2

Affected versions

v2.*
v2.0.124-beta
v2.0.153-beta
v2.0.157-beta
v2.0.164-beta
v2.0.194-beta
v2.0.22-beta
v2.0.246-beta
v2.0.249-beta
v2.0.252-beta
v2.0.280-beta
v2.0.289-beta
v2.0.318-beta
v2.0.33-beta
v2.0.374-beta
v2.0.394-beta
v2.0.435-beta
v2.0.452
v2.0.472
v2.0.474
v2.0.475
v2.0.498
v2.0.5-beta
v2.0.567
v2.0.603
v2.0.605
v2.0.632
v2.0.692
v2.0.696
v2.0.779
v2.0.785
v2.0.79-beta
v2.0.866
v2.0.87-beta
v2.0.877
v2.0.886
v2.0.931
v2.0.935
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32478.json"