CVE-2019-1387 — Improper Input Validation in GIT
CWE-20 — Improper Input ValidationCWE-73 — External Control of File Name or Path17 documents9 sources
Severity
8.8HIGHNVD
EPSS
2.2%
top 15.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 18
Latest updateMay 24
Description
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages3 packages
🔴Vulnerability Details
3📋Vendor Advisories
8Red Hat▶
git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams↗2019-12-10
💬Community
5Bugzilla▶
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [epel-6]↗2019-12-17
Bugzilla▶
CVE-2019-1387 libgit2: git: Remote code execution in recursive clones with nested submodules [fedora-all]↗2019-12-17
Bugzilla▶
CVE-2019-1387 libgit2-glib: git: Remote code execution in recursive clones with nested submodules [fedora-all]↗2019-12-17
Bugzilla▶
CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]↗2019-12-11
Bugzilla
▶