Debian Git vulnerabilities

CVE-2022-23521 [CRITICAL] CVE-2022-23521: git - Git is distributed revision control system. gitattributes are a mechanism to all... Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can o

CVE-2022-41903 [CRITICAL] CVE-2022-41903: git - Git is distributed revision control system. `git log` can display commits in an ... Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an

CVE-2022-39260 [HIGH] CVE-2022-39260: git - Git is an open source, scalable, distributed revision control system. `git shell... Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the n

CVE-2022-39253 [MEDIUM] CVE-2022-39253: git - Git is an open source, scalable, distributed revision control system. Versions p... Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_D

CVE-2022-29187 [MEDIUM] CVE-2022-29187: git - Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36... Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but w

CVE-2022-24765 [MEDIUM] CVE-2022-24765: git - Git for Windows is a fork of Git containing Windows-specific patches. This vulne... Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git direct

CVE-2022-24975 [HIGH] CVE-2022-24975: git - The --mirror documentation for Git through 2.35.1 does not mention the availabil... The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git bin

CVE-2021-40330 [HIGH] CVE-2021-40330: git - git_connect_git in connect.c in Git before 2.30.1 allows a repository path to co... git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. Scope: local bookworm: resolved (fixed in 1:2.30.1-1) bullseye: resolved (fixed in 1:2.30.1-1) forky: resolved (fixed in 1:

CVE-2021-21300 [HIGH] CVE-2021-21300: git - Git is an open-source distributed revision control system. In affected versions ... Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Win

CVE-2020-5260 [CRITICAL] CVE-2020-5260: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se... Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject uninten

CVE-2020-11008 [MEDIUM] CVE-2020-11008: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se... Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credentia

CVE-2019-1353 [CRITICAL] CVE-2019-1353: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2... An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. Scope: local bookworm: resolved (fixed in 1:2.24.0-2)

CVE-2019-1352 [HIGH] CVE-2019-1352: git - A remote code execution vulnerability exists when Git for Visual Studio improper... A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky: resolved (fixed in 1

CVE-2019-19604 [HIGH] CVE-2019-19604: git - Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21... Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky:

CVE-2019-1349 [HIGH] CVE-2019-1349: git - A remote code execution vulnerability exists when Git for Visual Studio improper... A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky: resolved (fixed in 1

CVE-2019-1387 [HIGH] CVE-2019-1387: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2... An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. Scope: local bookworm: resolved (fixed in 1:

CVE-2019-1351 [HIGH] CVE-2019-1351: git - A tampering vulnerability exists when Git for Visual Studio improperly handles v... A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky: resolved (fixed in 1:2.24.0-2) sid: resolved (fixed in 1:2.24.0-2) trixie: resolved (fixed in 1:2.24.0-2)

CVE-2019-1350 [HIGH] CVE-2019-1350: git - A remote code execution vulnerability exists when Git for Visual Studio improper... A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky: resolved (fixed in 1

CVE-2019-1348 [LOW] CVE-2019-1348: git - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2... An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1

CVE-2019-1354 [HIGH] CVE-2019-1354: git - A remote code execution vulnerability exists when Git for Visual Studio improper... A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. Scope: local bookworm: resolved (fixed in 1:2.24.0-2) bullseye: resolved (fixed in 1:2.24.0-2) forky: resolved (fixed in 1