CVE-2019-19604 — OS Command Injection in GIT
Severity
7.8HIGHNVD
EPSS
1.3%
top 19.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 11
Latest updateMay 24
Description
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages3 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 30, 31
🔴Vulnerability Details
3📋Vendor Advisories
3💬Community
5Bugzilla▶
CVE-2019-19604 libgit2-glib: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]↗2019-12-17
Bugzilla▶
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [epel-6]↗2019-12-17
Bugzilla▶
CVE-2019-19604 libgit2: git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]↗2019-12-17
Bugzilla▶
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent↗2019-12-11
Bugzilla▶
CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]↗2019-12-11