cbcvebase.

Git-Scm Git vulnerabilities

41 known vulnerabilities affecting git-scm/git.

Total CVEs
41
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
1
Severity breakdown
CRITICAL8HIGH25MEDIUM6LOW2

Vulnerabilities

Page 1 of 3
CVE-2025-48384P1HIGHCVSS 8.0KEVPoCfixed in 2.43.7≥ 2.44.0, < 2.44.4+6 more2025-07-08
CVE-2025-48384 [HIGH] CWE-59 CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost
nvd
CVE-2018-17456P1CRITICALCVSS 9.8PoC≥ 2.14.0, < 2.14.5≥ 2.15.0, < 2.15.3+4 more2018-10-06
CVE-2018-17456 [CRITICAL] CWE-88 CVE-2018-17456: Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2 Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
nvd
CVE-2014-9390P1CRITICALCVSS 9.8PoCfixed in 1.8.5.6≥ 1.9.0, < 1.9.5+3 more2020-02-12
CVE-2014-9390 [CRITICAL] CWE-20 CVE-2014-9390: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2 Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allo
nvd
CVE-2021-21300P2HIGHCVSS 7.5PoC≤ 2.14.2≥ 2.17.0, < 2.17.6+13 more2021-03-09
CVE-2021-21300 [HIGH] CWE-59 CVE-2021-21300: Git is an open-source distributed revision control system. In affected versions of Git a specially c Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default f
nvd
CVE-2017-1000117P2HIGHCVSS 8.8PoC≤ 2.7.5v2.8.0+27 more2017-10-05
CVE-2017-1000117 [HIGH] CWE-601 CVE-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-
nvd
CVE-2018-11235P2HIGHCVSS 7.8PoC≤ 2.13.6≥ 2.14.0, ≤ 2.14.3+3 more2018-05-30
CVE-2018-11235 [HIGH] CWE-22 CVE-2018-11235: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x b In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then ap
nvd
CVE-2022-23521P2CRITICALCVSS 9.8≤ 2.30.6≥ 2.31.0, ≤ 2.31.5+8 more2023-01-17
CVE-2022-23521 [CRITICAL] CWE-190 CVE-2022-23521: Git is distributed revision control system. gitattributes are a mechanism to allow defining attribut Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple inte
nvd
CVE-2022-41903P2CRITICALCVSS 9.8≤ 2.30.6≥ 2.31.0, ≤ 2.31.5+8 more2023-01-17
CVE-2022-41903 [CRITICAL] CWE-190 CVE-2022-41903: Git is distributed revision control system. `git log` can display commits in an arbitrary format usi Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stor
nvd
CVE-2008-5516P3HIGHCVSS 7.5PoCv0.6.0v0.7.02009-01-20
CVE-2008-5516 [HIGH] CWE-78 CVE-2008-5516: The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary co The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.
nvd
CVE-2017-14867P2HIGHCVSS 8.8≤ 2.10.4v2.11.0+16 more2017-09-29
CVE-2017-14867 [HIGH] CWE-78 CVE-2017-14867: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x befo Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
nvd
CVE-2023-25652P2HIGHCVSS 7.5fixed in 2.30.9≥ 2.31.0, < 2.31.8+9 more2023-04-25
CVE-2023-25652 [HIGH] CWE-22 CVE-2023-25652: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A f
nvd
CVE-2016-2324P2CRITICALCVSS 9.8≤ 2.7.32016-04-08
CVE-2016-2324 [CRITICAL] CWE-119 CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) lon Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.
nvd
CVE-2016-2315P2CRITICALCVSS 9.8v2.7.32016-04-08
CVE-2016-2315 [CRITICAL] CWE-119 CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
nvd
CVE-2022-39260P3HIGHCVSS 8.8fixed in 2.30.6≥ 2.31.0, < 2.31.5+7 more2022-10-19
CVE-2022-39260 [HIGH] CWE-122 CVE-2022-39260: Git is an open source, scalable, distributed revision control system. `git shell` is a restricted lo Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int`
nvd
CVE-2020-5260P3HIGHCVSS 7.5≥ 2.18.0, < 2.18.3≥ 2.19.0, < 2.19.4+6 more2020-04-14
CVE-2020-5260 [HIGH] CWE-20 CVE-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private creden Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can
nvd
CVE-2019-1387P3HIGHCVSS 8.8≥ 2.14.0, < 2.14.6≥ 2.15.0, < 2.15.4+9 more2019-12-18
CVE-2019-1387 [HIGH] CVE-2019-1387: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.1 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
nvd
CVE-2020-11008P3HIGHCVSS 7.5fixed in 2.17.5≥ 2.18.0, < 2.18.4+8 more2020-04-21
CVE-2020-11008 [HIGH] CWE-20 CVE-2020-11008: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private creden Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses ext
nvd
CVE-2018-19486P3CRITICALCVSS 9.8fixed in 2.19.22018-11-23
CVE-2018-19486 [CRITICAL] CWE-426 CVE-2018-19486: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
nvd
CVE-2023-29007P3HIGHCVSS 7.8fixed in 2.30.9≥ 2.31.0, < 2.31.8+9 more2023-04-25
CVE-2023-29007 [HIGH] CWE-74 CVE-2023-29007: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to injec
nvd
CVE-2019-1353P3CRITICALCVSS 9.8≥ 2.14.0, < 2.14.6≥ 2.15.0, < 2.15.4+9 more2020-01-24
CVE-2019-1353 [CRITICAL] CWE-22 CVE-2019-1353: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.1 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
nvd
Git-Scm Git vulnerabilities | cvebase