CVE-2019-1387
published 2019-12-18CVE-2019-1387: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
4.43%
90.2th percentile
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | < git 1:2.24.0-2 (bookworm) | git 1:2.24.0-2 (bookworm) |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | >= 2.14.0 < 2.14.6 | 2.14.6 |
| git-scm | git | >= 2.15.0 < 2.15.4 | 2.15.4 |
| git-scm | git | >= 2.16.0 < 2.16.6 | 2.16.6 |
| git-scm | git | >= 2.17.0 < 2.17.3 | 2.17.3 |
| git-scm | git | >= 2.18.0 < 2.18.2 | 2.18.2 |
| git-scm | git | >= 2.19.0 < 2.19.3 | 2.19.3 |
| git-scm | git | >= 2.20.0 < 2.20.2 | 2.20.2 |
| git-scm | git | >= 2.22.0 < 2.22.2 | 2.22.2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.30.2-1+deb11u3 | 1:2.30.2-1+deb11u3 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| me-and | cygwin-git | < 2.31.1-2 | 2.31.1-2 |
| microsoft | microsoft_visual_studio_2017 | — | — |
| microsoft | microsoft_visual_studio_2017_version_15.9 | — | — |
| microsoft | microsoft_visual_studio_2019 | — | — |
| microsoft | microsoft_visual_studio_2019_version_16.4 | — | — |
| microsoft | visual_studio_2017 | >= 15.0 < 15.9.18 | 15.9.18 |
| microsoft | visual_studio_2019 | >= 16.0 < 16.4.1 | 16.4.1 |
| microsoft_corporation | git | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
vendor_msrc8.8CRITICAL
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Git for Visual Studio Remote Code Execution Vulnerability
vendor_msrc·2019-12-10·CVSS 8.8
CVE-2019-1387 [HIGH] Git for Visual Studio Remote Code Execution Vulnerability
Git for Visual Studio Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo.
The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.
FAQ: I want to install the lat
Red Hat
git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
vendor_redhat·2019-12-10·CVSS 8.8
CVE-2019-1349 [HIGH] CWE-20 git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
An improper input validation flaw was discovered in git in the way it handles git submodules. A remote attacker could abuse this flaw to trick a victim user into recursively cloning a malicious repository, which, under certain circumstances, could fool git into using the same git directory twice and potentially cause remote code execution.
Mitigation: Avoid running `git clone --recurse-submodules` and `git submodule update` wit
Red Hat
git: Remote code execution in recursive clones with nested submodules
vendor_redhat·2019-12-10·CVSS 8.8
CVE-2019-1387 [HIGH] CWE-20 git: Remote code execution in recursive clones with nested submodules
git: Remote code execution in recursive clones with nested submodules
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw a
Ubuntu
Git vulnerabilities
vendor_ubuntu·2019-12-10
CVE-2019-1348 Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
Joern Schneeweisz and Nicolas Joly discovered that Git contained various
security flaws. An attacker could possibly use these issues to overwrite
arbitrary paths, execute arbitrary code, and overwrite files in the .git
directory.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
vendor_redhat·2019-12-10·CVSS 8.8
CVE-2019-1352 [HIGH] CWE-73 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.
Statement: Even if the code in the versions of git as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3 is affected by this flaw, Red Hat does not support the NTFS filesystem. For this reason, the flaw has a Low Impact.
Package: git (Red Hat Enterprise Linux 6) - Not affected
Package: git (Red Hat Enterprise Linux 7) - Not affected
Red Hat
git: Git does not refuse to write out tracked files with backlashes in filenames
vendor_redhat·2019-12-10·CVSS 8.8
CVE-2019-1354 [HIGH] CWE-20 git: Git does not refuse to write out tracked files with backlashes in filenames
git: Git does not refuse to write out tracked files with backlashes in filenames
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, 7, and 8 as this is a Windows only issue and it does not affect the Linux versions of git.
Package: git (Red Hat Enterprise Linux 6) - Not affected
Package: git (Red Hat Enterprise Linux 7) - Not affected
Package: git (Red Hat Enterprise Linux 8) - Not affected
Package: rh-git218-git (Red Hat Software Collections) - Not affected
Red Hat
git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone
vendor_redhat·2019-12-10·CVSS 8.8
CVE-2019-1350 [HIGH] CWE-20 git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone
git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
Statement: This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, 7, and 8 as this is a Windows only issue and it does not affect the Linux versions of git.
Package: git (Red Hat Enterprise Linux 6) - Not affected
Package: git (Red Hat Enterprise Linux 7) - Not affected
Package: git (Red Hat Enterprise Linux 8) - Not affected
Package: rh-git218-git (Red Hat Software Collections) - Not affected
Debian
CVE-2019-1350: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
vendor_debian·2019·CVSS 8.8
CVE-2019-1350 [HIGH] CVE-2019-1350: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
Debian
CVE-2019-1352: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
vendor_debian·2019·CVSS 8.8
CVE-2019-1352 [HIGH] CVE-2019-1352: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
Debian
CVE-2019-1349: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
vendor_debian·2019·CVSS 8.8
CVE-2019-1349 [HIGH] CVE-2019-1349: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
Debian
CVE-2019-1387: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2...
vendor_debian·2019·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2...
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.30.2-1+deb11u3)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
Debian
CVE-2019-1354: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
vendor_debian·2019·CVSS 8.8
CVE-2019-1354 [HIGH] CVE-2019-1354: git - A remote code execution vulnerability exists when Git for Visual Studio improper...
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
GHSA
GHSA-993f-36vw-6mhm: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1349 [HIGH] GHSA-993f-36vw-6mhm: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
GHSA
GHSA-v94j-fmjr-xrgv: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1350 [HIGH] GHSA-v94j-fmjr-xrgv: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
GHSA
GHSA-57mj-9r29-rj3q: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1354 [HIGH] GHSA-57mj-9r29-rj3q: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.
GHSA
GHSA-9mhc-h3vf-83fw: An issue was found in Git before v2
ghsa_unreviewed·2022-05-24
CVE-2019-1387 [MEDIUM] GHSA-9mhc-h3vf-83fw: An issue was found in Git before v2
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
GHSA
GHSA-74fq-3g57-65f7: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1352 [HIGH] GHSA-74fq-3g57-65f7: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.
OSV
CVE-2019-1350: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
osv·2020-01-24·CVSS 8.8
CVE-2019-1350 [HIGH] CVE-2019-1350: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
OSV
CVE-2019-1354: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
osv·2020-01-24·CVSS 8.8
CVE-2019-1354 [HIGH] CVE-2019-1354: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.
OSV
CVE-2019-1352: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
osv·2020-01-24·CVSS 8.8
CVE-2019-1352 [HIGH] CVE-2019-1352: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.
OSV
CVE-2019-1349: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
osv·2020-01-24·CVSS 8.8
CVE-2019-1349 [HIGH] CVE-2019-1349: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution V
A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
OSV
CVE-2019-1387: An issue was found in Git before v2
osv·2019-12-18·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387: An issue was found in Git before v2
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
No detection rules found.
No public exploits indexed.
Qualys
December 2019 Patch Tuesday – 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns
blogs_qualys·2019-12-10·CVSS 8.8
CVE-2019-1468 [HIGH] December 2019 Patch Tuesday – 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns
This month’s Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.
## Workstation Patches
Win32k patches ( CVE-2019-1468 and CVE-2019-1458 ) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Though listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild.
## Hyper-V Hypervisor Escapes
A remo
Tenable
Microsoft's December 2019 Patch Tuesday Includes Fix for Zero Day Exploited in the Wild (CVE-2019-1458)
blogs_tenable·2019-12-10·CVSS 7.8
[HIGH] Microsoft's December 2019 Patch Tuesday Includes Fix for Zero Day Exploited in the Wild (CVE-2019-1458)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
December 2019 Patch Tuesday - 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns | Qualys
blogs_qualys·2019-12-10·CVSS 8.8
CVE-2019-1468 [HIGH] December 2019 Patch Tuesday - 36 Vulns, 7 Critical, Actively Attacked Win32k vuln, Adobe vulns | Qualys
This month’s Patch Tuesday is rather light and addresses 36 vulnerabilities, with only 7 labeled as Critical. Five of the seven Critical vulns are in Git for Visual Studio. The others are for Hyper-V and Win32k. Also, there is one actively attacked “Important” vuln in Win32k. Adobe released patches today covering Acrobat/Reader, ColdFusion, Photoshop, and Brackets.
### Workstation Patches
Win32k patches (CVE-2019-1468 and CVE-2019-1458) should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Though listed as Important, Microsoft has disclosed that CVE-2019-1458 is actively attacked in the wild.
### Hyper-V Hypervisor Escapes
A remo
Bugzilla
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [epel-6]
bugzilla·2019-12-17·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [epel-6]
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following t
Bugzilla
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [fedora-all]
bugzilla·2019-12-17·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [fedora-all]
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2019-1387 libgit2-glib: git: Remote code execution in recursive clones with nested submodules [fedora-all]
bugzilla·2019-12-17·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387 libgit2-glib: git: Remote code execution in recursive clones with nested submodules [fedora-all]
CVE-2019-1387 libgit2-glib: git: Remote code execution in recursive clones with nested submodules [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]
bugzilla·2019-12-11·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]
CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
bugzilla·2019-12-09·CVSS 8.8
CVE-2019-1387 [HIGH] CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
References:
https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt
Discussion:
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1781954]
---
Upstream patch:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
---
External References:
https://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2
---
oss-security mailing list reference:
https://www.openwall.com/lists/oss-security/2019/12/13/1
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttps://access.redhat.com/errata/RHSA-2019:4356https://access.redhat.com/errata/RHSA-2020:0002https://access.redhat.com/errata/RHSA-2020:0124https://access.redhat.com/errata/RHSA-2020:0228https://lists.debian.org/debian-lts-announce/2020/01/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#uhttps://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://security.gentoo.org/glsa/202003-30https://security.gentoo.org/glsa/202003-42http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttps://access.redhat.com/errata/RHSA-2019:4356https://access.redhat.com/errata/RHSA-2020:0002https://access.redhat.com/errata/RHSA-2020:0124https://access.redhat.com/errata/RHSA-2020:0228https://lists.debian.org/debian-lts-announce/2020/01/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#uhttps://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://security.gentoo.org/glsa/202003-30https://security.gentoo.org/glsa/202003-42
2019-12-18
Published