{"id":"CVE-2024-32478","summary":"Git Credential Manager (GCM)'s Debian package does not set root ownership on installed files","details":"Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0.\n","aliases":["GHSA-3c3g-h9rx-f7vq"],"modified":"2026-04-10T05:12:13.872212Z","published":"2024-04-19T14:37:57.617Z","database_specific":{"cwe_ids":["CWE-732"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32478.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32478.json"},{"type":"ADVISORY","url":"https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-3c3g-h9rx-f7vq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32478"},{"type":"FIX","url":"https://github.com/git-ecosystem/git-credential-manager/commit/d9ac33c5b1478383672b4425f5ecf875a62efba9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/git-ecosystem/git-credential-manager","events":[{"introduced":"0"},{"fixed":"d9ac33c5b1478383672b4425f5ecf875a62efba9"}]},{"type":"GIT","repo":"https://github.com/git-ecosystem/git-credential-manager","events":[{"introduced":"0"},{"fixed":"d9ac33c5b1478383672b4425f5ecf875a62efba9"}]}],"versions":["v2.0.5-beta","v2.0.779","v2.0.785","v2.0.866","v2.0.877","v2.0.886","v2.0.931","v2.0.935","v2.1.0","v2.1.1","v2.1.2","v2.2.0","v2.2.1","v2.2.2","v2.3.0","v2.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32478.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N"}]}