## https://sploitus.com/exploit?id=A46E2F4B-B22E-5579-93D7-0EE58107CEC3
# CVE-2024-32002
## STILL DEVELOPING
This vulnerability affect Git with version:
* `2.45.0`
## Proof Of Concept
The POC can trigger an RCE (Remote Command Execution) using the `git clone` command via specific vulnerable use of submodules of git that follow symlinks, so the context need to have `core.symlinks` to `true` for work correctly.
> **NOTE:** This is possible via `git config --global core.symlinks true`
### How it work
For trigger the rce you need to use two different repositories.
The first repository include a submodule that include a specific path with a symlink to a `.git` directory.
The second repository include a malicious hook that is used as a submodule in the first repository, and contain a script called `post-checkout` that contain malicious code that will be run exploiting the case-insensitive filesystem.
**This is a vulnerability analysis tool for educational purposes only**