CVE-2019-1353
published 2020-01-24CVE-2019-1353: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the…
PriorityP347critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.23%
80.5th percentile
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | git | < git 1:2.24.0-2 (bookworm) | git 1:2.24.0-2 (bookworm) |
| debian | libgit2 | < libgit2 0.28.4+dfsg.1-2 (bookworm) | libgit2 0.28.4+dfsg.1-2 (bookworm) |
| dulwich_project | dulwich | >= 0.10.0 < 1.2.5 | 1.2.5 |
| git-scm | git | >= 2.14.0 < 2.14.6 | 2.14.6 |
| git-scm | git | >= 2.15.0 < 2.15.4 | 2.15.4 |
| git-scm | git | >= 2.16.0 < 2.16.6 | 2.16.6 |
| git-scm | git | >= 2.17.0 < 2.17.3 | 2.17.3 |
| git-scm | git | >= 2.18.0 < 2.18.2 | 2.18.2 |
| git-scm | git | >= 2.19.0 < 2.19.3 | 2.19.3 |
| git-scm | git | >= 2.20.0 < 2.20.2 | 2.20.2 |
| git-scm | git | >= 2.21.0 < 2.21.1 | 2.21.1 |
| git-scm | git | >= 2.22.0 < 2.22.2 | 2.22.2 |
| git-scm | git | >= 2.23.0 < 2.23.1 | 2.23.1 |
| git-scm | git | >= 2.24.0 < 2.24.1 | 2.24.1 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| jelmer | dulwich | — | — |
| libgit2 | libgit2 | < 0.28.4 | 0.28.4 |
| libgit2 | libgit2 | >= 0 < 0.28.4+dfsg.1-2 | 0.28.4+dfsg.1-2 |
| libgit2 | libgit2 | >= 0 < 0.28.4+dfsg.1-2 | 0.28.4+dfsg.1-2 |
| libgit2 | libgit2 | >= 0 < 0.28.4+dfsg.1-2 | 0.28.4+dfsg.1-2 |
| libgit2 | libgit2 | >= 0 < 0.28.4+dfsg.1-2 | 0.28.4+dfsg.1-2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2020-12279: libgit2 - An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkou...
vendor_debian·2020·CVSS 9.8
CVE-2020-12279 [CRITICAL] CVE-2020-12279: libgit2 - An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkou...
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
Scope: local
bookworm: resolved (fixed in 0.28.4+dfsg.1-2)
bullseye: resolved (fixed in 0.28.4+dfsg.1-2)
forky: resolved (fixed in 0.28.4+dfsg.1-2)
sid: resolved (fixed in 0.28.4+dfsg.1-2)
trixie: resolved (fixed in 0.28.4+dfsg.1-2)
Red Hat
git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
vendor_redhat·2019-12-10·CVSS 9.8
CVE-2019-1353 [CRITICAL] CWE-358 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, 7, and 8 as NTFS filesystems are not supported nor the Windows Subsystem for Linux (WSL).
Package: git (Red Hat Enterprise Linux 6) - Not affected
Package: git (Red Hat Enterprise Linux 7) - Not affected
Package: git (Red Hat Enterprise Linux 8) - Not affected
Package: rh-git218-git (Red Hat S
Ubuntu
Git vulnerabilities
vendor_ubuntu·2019-12-10
CVE-2019-1348 Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
Joern Schneeweisz and Nicolas Joly discovered that Git contained various
security flaws. An attacker could possibly use these issues to overwrite
arbitrary paths, execute arbitrary code, and overwrite files in the .git
directory.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
vendor_redhat·2019-09-18·CVSS 9.8
CVE-2020-12279 [CRITICAL] CWE-358 libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
Statement: Even if the code in the versions of libgit2 as shipped with Red Hat Enterprise Linux 7, and 8 are affected by this flaw, Red Hat does not support the NTFS filesystem nor Windows Subsystem for Linux (WSL). For this reason, the flaw has a Low Impact.
Package: libgit2 (Red Hat Enterprise Linux 7) - Fix deferred
Package: libgit2 (Red Hat Enterprise Linux 8) - Fix deferred
Red Hat
jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
vendor_redhat·2019-03-25·CVSS 9.8
CVE-2019-1003040 [CRITICAL] CWE-704 jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Package: jenkins-plugin-script-security (Red Hat OpenShift Container Platform 3.10) - Will not fix
Package: jenkins-plugin-script-security (Red Hat OpenShift Container Platform 3.4) - Out of suppor
Red Hat
jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
vendor_redhat·2019-03-25·CVSS 9.8
CVE-2019-1003041 [CRITICAL] CWE-704 jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
A flaw was found in the Jenkins Workflow CPS plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Package: jenkins-plugin-workflow-cps (Red Hat OpenShift Container Platform 3.10) - Will not fix
Package: jenkins-plugin-workflow-cps (Red Hat OpenShift Container Platform 3.4) - Out of support scope
Pa
Debian
CVE-2019-1353: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2...
vendor_debian·2019·CVSS 9.8
CVE-2019-1353 [CRITICAL] CVE-2019-1353: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2...
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
GHSA
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
ghsa·2026-05-28·CVSS 9.8
CVE-2026-42305 [CRITICAL] CWE-22 Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
## Impact
Arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.
Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax:
- \ — the Windows path separator. A single tree entry named .git\hooks\pre-commit.exe was treated as one valid filename on POSIX but materialized as nested directories .git/hooks/pre-commit.exe on Windows, planting a file inside the victim's .git directory. Git for Windows then
executes that hook on the next git commit, giving the attacker arbitrary code execution in the victim's user context. The same primitive can be used with ..\outside.txt t
GHSA
GHSA-jq74-8pv3-p93c: An issue was discovered in libgit2 before 0
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-12279 [CRITICAL] CWE-20 GHSA-jq74-8pv3-p93c: An issue was discovered in libgit2 before 0
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
OSV
CVE-2020-12279: An issue was discovered in libgit2 before 0
osv·2020-04-27·CVSS 9.8
CVE-2020-12279 [CRITICAL] CVE-2020-12279: An issue was discovered in libgit2 before 0
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
OSV
CVE-2019-1353: An issue was found in Git before v2
osv·2020-01-24·CVSS 9.8
CVE-2019-1353 [CRITICAL] CVE-2019-1353: An issue was found in Git before v2
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-12279 libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
bugzilla·2020-04-29·CVSS 9.8
CVE-2020-12279 [CRITICAL] CVE-2020-12279 libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
CVE-2020-12279 libgit2: NTFS protections inactive when running Git in the Windows Subsystem for Linux
An issue was discovered in libgit2 where checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is the libgit2 variant of CVE-2019-1353.
https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
https://github.com/libgit2/libgit2/releases/tag/v0.28.4
https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Discussion:
Created libgit2 tracking bugs for this issue:
Affects: epel-all [bug 1829423]
Affects: fedora-all [bug 1829425]
Created libgit2:0.26/libgit2 tracking bugs for this issue:
Affec
Bugzilla
CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
bugzilla·2019-12-11·CVSS 9.8
CVE-2019-1353 [CRITICAL] CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
References:
https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Discussion:
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1781967]
---
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1
---
External References:
https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
---
Upstream fix:
https://github.com/git/git/commit/9102f958ee5254b10c0be72672aa3305bf4f4704
---
Statement:
This is
Bugzilla
CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux [fedora-all]
bugzilla·2019-12-11·CVSS 9.8
CVE-2019-1353 [CRITICAL] CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux [fedora-all]
CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2019-1003041 jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
bugzilla·2019-04-01·CVSS 9.8
CVE-2019-1003041 [CRITICAL] CVE-2019-1003041 jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
CVE-2019-1003041 jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
Sandbox projection in the Jenkins Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
External Reference:
https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
Discussion:
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
---
This i
Bugzilla
CVE-2019-1003040 jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
bugzilla·2019-04-01·CVSS 9.8
CVE-2019-1003040 [CRITICAL] CVE-2019-1003040 jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
CVE-2019-1003040 jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
Sandbox projection in the Jenkins Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
External Reference:
https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
Discussion:
Created jenkins-script-security-plugin tracking bugs for this issue:
Affects: fedora-all [bug 1694533]
---
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttps://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#uhttps://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://security.gentoo.org/glsa/202003-30http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttps://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#uhttps://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://security.gentoo.org/glsa/202003-30
2020-01-24
Published