CVE-2014-9938
published 2017-03-20CVE-2014-9938: contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code…
PriorityP341high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.32%
81.3th percentile
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | < git 1:2.0.0~rc2-1 (bookworm) | git 1:2.0.0~rc2-1 (bookworm) |
| git-scm | git | < 1.9.3 | 1.9.3 |
| git | git | >= 0 < 1:2.0.0~rc2-1 | 1:2.0.0~rc2-1 |
| git | git | >= 0 < 1:2.0.0~rc2-1 | 1:2.0.0~rc2-1 |
| git | git | >= 0 < 1:2.0.0~rc2-1 | 1:2.0.0~rc2-1 |
| git | git | >= 0 < 1:2.0.0~rc2-1 | 1:2.0.0~rc2-1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6vhm-rfmv-gf4j: contrib/completion/git-prompt
ghsa_unreviewed·2022-05-13
CVE-2014-9938 [HIGH] CWE-116 GHSA-6vhm-rfmv-gf4j: contrib/completion/git-prompt
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
OSV
CVE-2014-9938: contrib/completion/git-prompt
osv·2017-03-20·CVSS 8.8
CVE-2014-9938 [HIGH] CVE-2014-9938: contrib/completion/git-prompt
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
Ubuntu
Git vulnerability
vendor_ubuntu·2017-03-23
CVE-2014-9938 Git vulnerability
Title: Git vulnerability
Summary: Git could be made to run programs as your login if it explored a specially
crafted repository.
It was discovered that Git incorrectly sanitized branch names in the PS1
variable when configured to display the repository status in the shell
prompt. If a user were tricked into exploring a malicious repository, a
remote attacker could use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: git-prompt.sh does not sanitize branch names in $PS1
vendor_redhat·2014-04-22·CVSS 8.8
CVE-2014-9938 [HIGH] CWE-78 git: git-prompt.sh does not sanitize branch names in $PS1
git: git-prompt.sh does not sanitize branch names in $PS1
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
It was found that the git-prompt.sh script shipped with git failed to correctly handle branch names containing special characters. A specially crafted git repository could use this flaw to execute arbitrary commands if a user working with the repository configured their shell to include repository information in the prompt.
Package: git (Red Hat Enterprise Linux 6) - Not affected
Package: rh-git29-git (Red Hat Software Collections) - Not affected
Debian
CVE-2014-9938: git - contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch na...
vendor_debian·2014·CVSS 8.8
CVE-2014-9938 [HIGH] CVE-2014-9938: git - contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch na...
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
Scope: local
bookworm: resolved (fixed in 1:2.0.0~rc2-1)
bullseye: resolved (fixed in 1:2.0.0~rc2-1)
forky: resolved (fixed in 1:2.0.0~rc2-1)
sid: resolved (fixed in 1:2.0.0~rc2-1)
trixie: resolved (fixed in 1:2.0.0~rc2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [fedora-all]
bugzilla·2017-03-21·CVSS 8.8
CVE-2014-9938 [HIGH] CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [fedora-all]
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-24.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [epel-5]
bugzilla·2017-03-21·CVSS 8.8
CVE-2014-9938 [HIGH] CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [epel-5]
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1 [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-5.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'f
Bugzilla
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
bugzilla·2017-03-21·CVSS 8.8
CVE-2014-9938 [HIGH] CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
CVE-2014-9938 git: git-prompt.sh does not sanitize branch names in $PS1
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
Upstream patch:
https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f
PoC repository:
https://github.com/njhartwell/pw3nage
Discussion:
Created git tracking bugs for this issue:
Affects: epel-5 [bug 1434439]
Affects: fedora-24 [bug 1434438]
Affects: openshift-1 [bug 1434440]
---
Note that there are two ways to use git-prompt.sh to add info to the shell prompt. These methods are documented at the top of the git-prompt.sh file:
# 3a) Change your PS1 to call __git_ps1 as
# command-substitution:
# Bash: PS1='[\u@\h \W$(__git_ps1 " (
https://access.redhat.com/errata/RHSA-2017:2004https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43fhttps://github.com/njhartwell/pw3nagehttps://access.redhat.com/errata/RHSA-2017:2004https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43fhttps://github.com/njhartwell/pw3nage
2017-03-20
Published