CVE-2019-19604
published 2019-12-11CVE-2019-19604: Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1…
PriorityP343high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
3.69%
88.3th percentile
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | git | < git 1:2.24.0-2 (bookworm) | git 1:2.24.0-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| git-scm | git | < 2.20.0 | 2.20.0 |
| git-scm | git | >= 2.21.0 < 2.21.1 | 2.21.1 |
| git-scm | git | >= 2.22.0 < 2.22.2 | 2.22.2 |
| git-scm | git | >= 2.23.0 < 2.23.1 | 2.23.1 |
| git-scm | git | >= 2.24.0 < 2.24.1 | 2.24.1 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| git | git | >= 0 < 1:2.24.0-2 | 1:2.24.0-2 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa7.8HIGH
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules
ghsa·2026-05-05·CVSS 7.8
CVE-2019-19604 [HIGH] CWE-183 gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules
### Summary
[`gix_submodule::File::update()`](https://github.com/GitoxideLabs/gitoxide/blob/main/gix-submodule/src/access.rs#L168) is the API that gates whether an attacker-supplied `.gitmodules` file may set `update = !`. The function is designed to return `Err(CommandForbiddenInModulesConfiguration)` unless the `!command` value came from a trusted local source (`.git/config`). Git CVE [CVE-2019-19604](https://nvd.nist.gov/vuln/detail/cve-2019-19604) illustrates why this check is necessary.
However, the guard is implemented incorrectly: it checks whether any section with the same submodule name exists from a non-`.gitmodules` source; it does not v
GHSA
GHSA-4vp4-vvrc-wvhx: Arbitrary command execution is possible in Git before 2
ghsa_unreviewed·2022-05-24
CVE-2019-19604 [HIGH] CWE-20 GHSA-4vp4-vvrc-wvhx: Arbitrary command execution is possible in Git before 2
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
OSV
CVE-2019-19604: Arbitrary command execution is possible in Git before 2
osv·2019-12-11·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604: Arbitrary command execution is possible in Git before 2
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Ubuntu
Git vulnerabilities
vendor_ubuntu·2019-12-10
CVE-2019-1348 Git vulnerabilities
Title: Git vulnerabilities
Summary: Several security issues were fixed in Git.
Joern Schneeweisz and Nicolas Joly discovered that Git contained various
security flaws. An attacker could possibly use these issues to overwrite
arbitrary paths, execute arbitrary code, and overwrite files in the .git
directory.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
vendor_redhat·2019-12-10·CVSS 7.8
CVE-2019-19604 [HIGH] CWE-807 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update o
Debian
CVE-2019-19604: git - Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21...
vendor_debian·2019·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604: git - Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21...
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Scope: local
bookworm: resolved (fixed in 1:2.24.0-2)
bullseye: resolved (fixed in 1:2.24.0-2)
forky: resolved (fixed in 1:2.24.0-2)
sid: resolved (fixed in 1:2.24.0-2)
trixie: resolved (fixed in 1:2.24.0-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-19604 libgit2-glib: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
bugzilla·2019-12-17·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604 libgit2-glib: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
CVE-2019-19604 libgit2-glib: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the
Bugzilla
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [epel-6]
bugzilla·2019-12-17·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [epel-6]
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
Bugzilla
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
bugzilla·2019-12-17·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM
Bugzilla
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
bugzilla·2019-12-11·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
The change to disallow `submodule..update=!command` entries in`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (CVE-2019-19604).
References:
https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.20.2.txt
Discussion:
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1781972]
---
oss-security mailing list reference:
https://www.openwall.com/lists/oss
Bugzilla
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
bugzilla·2019-12-11·CVSS 7.8
CVE-2019-19604 [HIGH] CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttp://www.openwall.com/lists/oss-security/2019/12/13/1https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.mdhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txthttps://security.gentoo.org/glsa/202003-30https://www.debian.org/security/2019/dsa-4581http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttp://www.openwall.com/lists/oss-security/2019/12/13/1https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.mdhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txthttps://security.gentoo.org/glsa/202003-30https://www.debian.org/security/2019/dsa-4581
2019-12-11
Published