Описание
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
A flaw known as "GitBleed" was found in Git, where repositories cloned via the "–mirror" option may leak secrets or sensitive information if not properly removed/deleted earlier. This flaw allows attackers and bug bounty hunters to use this discrepancy in Git behavior to find hidden secrets and other sensitive data in public repositories.
Отчет
The "GitBleed" issue can't be fixed, because it requires basic user education and can be fixed only by administrators responsible for individual repositories by analyzing a whole copy of their own repositories using the “–mirror” option and removing sensitive data using tools like BFG or git-filter-repo.
Меры по смягчению последствий
Organizations can mitigate this by analyzing a fuller copy of their repositories using the “–mirror” option and removing sensitive data using tools like BFG or git-filter-repo. Garbage collection and pruning in git is also recommended. Organizations should not analyze regular cloned copies (without the “–mirror” option) since that may provide a false sense of security, and should not rely on methods of removing secrets such as deleting a branch or rewinding history via the “git reset” command.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | git | Not affected | ||
| Red Hat Enterprise Linux 7 | git | Not affected | ||
| Red Hat Enterprise Linux 8 | git | Not affected | ||
| Red Hat Enterprise Linux 9 | git | Not affected | ||
| Red Hat Software Collections | rh-git227-git | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk.
The --mirror documentation for Git through 2.35.1 does not mention the ...
The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.
Уязвимость распределенной системы управления версиями Git, связанная с раскрытием информации в ошибочной области данных, позволяющая нарушителю получить доступ к конфиденциальным данным
7.5 High
CVSS3