Vulnerability CVE-2019-1387: Information

Description

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1387
Published: Dec. 19, 2019
Modified: Nov. 7, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
gitsisyphus2.24.1-alt12.42.2-alt1ALT-PU-2019-3258-1242631Fixed
gitp102.24.1-alt12.33.8-alt1ALT-PU-2019-3258-1242631Fixed
gitp92.24.1-alt12.25.4-alt1ALT-PU-2019-3259-1242632Fixed
gitp82.24.1-alt12.24.1-alt1ALT-PU-2019-3276-1242633Fixed
gitc10f12.24.1-alt12.42.1-alt1ALT-PU-2019-3258-1242631Fixed
gitc9f22.24.1-alt12.42.1-alt1ALT-PU-2019-3259-1242632Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
RHSA-2019:4356
  • Third Party Advisory
RHSA-2020:0002
    RHSA-2020:0124
      [debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update
        openSUSE-SU-2020:0123
          RHSA-2020:0228
            GLSA-202003-30
              GLSA-202003-42
                openSUSE-SU-2020:0598
                  https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u
                    FEDORA-2019-1cec196e20
                      https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/

                          1. Configuration 1

                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.14.0
                            End excliding
                            2.14.6
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.15.0
                            End excliding
                            2.15.4
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.16.0
                            End excliding
                            2.16.6
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.17.0
                            End excliding
                            2.17.3
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.18.0
                            End excliding
                            2.18.2
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.19.0
                            End excliding
                            2.19.3
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.20.0
                            End excliding
                            2.20.2
                            cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
                            Start including
                            2.22.0
                            End excliding
                            2.22.2
                            cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:*
                            cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:*
                            cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:*
                        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                        Version: v24.5.0
                        Back to top