Search
Find a vulnerability
Search criteria
6 vulnerabilities found for Git by Microsoft Corporation
CVE-2019-1353 (GCVE-0-2019-1353)
Vulnerability from nvd – Published: 2020-01-24 21:14 – Updated: 2024-08-04 18:13
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | x_refsource_MISC |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisoryx_refsource_GENTOO |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-01T23:06:10.000Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1353",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Git",
"version": {
"version_data": [
{
"version_value": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
}
]
},
"vendor_name": "Microsoft Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u",
"refsource": "MISC",
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u"
},
{
"name": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/",
"refsource": "MISC",
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1353",
"datePublished": "2020-01-24T21:14:21.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:13:30.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1348 (GCVE-0-2019-1348)
Vulnerability from nvd – Published: 2020-01-24 21:14 – Updated: 2024-08-04 18:13
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://support.apple.com/kb/HT210729 | x_refsource_CONFIRM |
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | x_refsource_MISC |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://access.redhat.com/errata/RHSA-2020:0228 | vendor-advisoryx_refsource_REDHAT |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisoryx_refsource_GENTOO |
| https://security.gentoo.org/glsa/202003-42 | vendor-advisoryx_refsource_GENTOO |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT210729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-01T23:06:07.000Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT210729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1348",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Git",
"version": {
"version_data": [
{
"version_value": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
}
]
},
"vendor_name": "Microsoft Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT210729",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT210729"
},
{
"name": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u",
"refsource": "MISC",
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u"
},
{
"name": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/",
"refsource": "MISC",
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1348",
"datePublished": "2020-01-24T21:14:21.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:13:30.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1387 (GCVE-0-2019-1387)
Vulnerability from nvd – Published: 2019-12-18 20:11 – Updated: 2025-11-04 16:09
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Remote Code Execution
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | |
| https://access.redhat.com/errata/RHSA-2019:4356 | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0002 | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0124 | vendor-advisory |
| https://lists.debian.org/debian-lts-announce/2020… | mailing-list |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0228 | vendor-advisory |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisory |
| https://security.gentoo.org/glsa/202003-42 | vendor-advisory |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisory |
| https://lists.debian.org/debian-lts-announce/2024… | mailing-list |
| https://lists.debian.org/debian-lts-announce/2024… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before v2.24.1
Affected: Before v2.23.1 Affected: Before v2.22.2 Affected: Before v2.21.1 Affected: Before v2.20.2 Affected: Before v2.19.3 Affected: Before v2.18.2 Affected: Before v2.17.3 Affected: Before v2.16.6 Affected: Before v2.15.4 Affected: Before v2.14.6 |
|
| git | git |
Affected:
0 , < 2,24.1
(custom)
Affected: 0 , < 2.23.1 (custom) Affected: 0 , < 2.22.2 (custom) Affected: 0 , < 2.21.1 (custom) Affected: 0 , < 2.20.2 (custom) Affected: 0 , < 2.19.3 (custom) Affected: 0 , < 2.18.2 (custom) Affected: 0 , < 2.17.3 (custom) Affected: 0 , < 2.16.6 (custom) Affected: 0 , < 2.15.4 (custom) Affected: 0 , < 2.14.6 (custom) cpe:2.3:a:git:git:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "git",
"vendor": "git",
"versions": [
{
"lessThan": "2,24.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.23.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.22.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.21.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.20.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.19.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.18.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.17.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.16.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.15.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-1387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:49:36.663475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T19:03:52.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:09:13.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"name": "RHSA-2019:4356",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4356"
},
{
"name": "RHSA-2020:0002",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0002"
},
{
"name": "FEDORA-2019-1cec196e20",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"
},
{
"name": "RHSA-2020:0124",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0124"
},
{
"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
},
{
"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before v2.24.1"
},
{
"status": "affected",
"version": "Before v2.23.1"
},
{
"status": "affected",
"version": "Before v2.22.2"
},
{
"status": "affected",
"version": "Before v2.21.1"
},
{
"status": "affected",
"version": "Before v2.20.2"
},
{
"status": "affected",
"version": "Before v2.19.3"
},
{
"status": "affected",
"version": "Before v2.18.2"
},
{
"status": "affected",
"version": "Before v2.17.3"
},
{
"status": "affected",
"version": "Before v2.16.6"
},
{
"status": "affected",
"version": "Before v2.15.4"
},
{
"status": "affected",
"version": "Before v2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T10:06:04.659Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"name": "RHSA-2019:4356",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4356"
},
{
"name": "RHSA-2020:0002",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0002"
},
{
"name": "FEDORA-2019-1cec196e20",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"
},
{
"name": "RHSA-2020:0124",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0124"
},
{
"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"
},
{
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
},
{
"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1387",
"datePublished": "2019-12-18T20:11:53.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:09:13.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-1353 (GCVE-0-2019-1353)
Vulnerability from cvelistv5 – Published: 2020-01-24 21:14 – Updated: 2024-08-04 18:13
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | x_refsource_MISC |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisoryx_refsource_GENTOO |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-01T23:06:10.000Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1353",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Git",
"version": {
"version_data": [
{
"version_value": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
}
]
},
"vendor_name": "Microsoft Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u",
"refsource": "MISC",
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u"
},
{
"name": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/",
"refsource": "MISC",
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "GLSA-202003-30",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "openSUSE-SU-2020:0598",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1353",
"datePublished": "2020-01-24T21:14:21.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:13:30.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1348 (GCVE-0-2019-1348)
Vulnerability from cvelistv5 – Published: 2020-01-24 21:14 – Updated: 2024-08-04 18:13
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://support.apple.com/kb/HT210729 | x_refsource_CONFIRM |
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | x_refsource_MISC |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://access.redhat.com/errata/RHSA-2020:0228 | vendor-advisoryx_refsource_REDHAT |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisoryx_refsource_GENTOO |
| https://security.gentoo.org/glsa/202003-42 | vendor-advisoryx_refsource_GENTOO |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:13:30.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/kb/HT210729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-01T23:06:07.000Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/kb/HT210729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2019-1348",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Git",
"version": {
"version_data": [
{
"version_value": "Before 2.24.1, 2.23.1, 2.22.2, 2.21.1, 2.20.2, 2.19.3, 2.18.2, 2.17.3, 2.16.6, 2.15.4, 2.14.6"
}
]
}
}
]
},
"vendor_name": "Microsoft Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/kb/HT210729",
"refsource": "CONFIRM",
"url": "https://support.apple.com/kb/HT210729"
},
{
"name": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u",
"refsource": "MISC",
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u"
},
{
"name": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/",
"refsource": "MISC",
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1348",
"datePublished": "2020-01-24T21:14:21.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T18:13:30.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1387 (GCVE-0-2019-1387)
Vulnerability from cvelistv5 – Published: 2019-12-18 20:11 – Updated: 2025-11-04 16:09
VLAI
Summary
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Remote Code Execution
Assigner
References
14 references
| URL | Tags |
|---|---|
| https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gi… | |
| https://access.redhat.com/errata/RHSA-2019:4356 | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0002 | vendor-advisory |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0124 | vendor-advisory |
| https://lists.debian.org/debian-lts-announce/2020… | mailing-list |
| https://public-inbox.org/git/xmqqr21cqcn9.fsf%40g… | |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisory |
| https://access.redhat.com/errata/RHSA-2020:0228 | vendor-advisory |
| https://security.gentoo.org/glsa/202003-30 | vendor-advisory |
| https://security.gentoo.org/glsa/202003-42 | vendor-advisory |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisory |
| https://lists.debian.org/debian-lts-announce/2024… | mailing-list |
| https://lists.debian.org/debian-lts-announce/2024… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft Corporation | Git |
Affected:
Before v2.24.1
Affected: Before v2.23.1 Affected: Before v2.22.2 Affected: Before v2.21.1 Affected: Before v2.20.2 Affected: Before v2.19.3 Affected: Before v2.18.2 Affected: Before v2.17.3 Affected: Before v2.16.6 Affected: Before v2.15.4 Affected: Before v2.14.6 |
|
| git | git |
Affected:
0 , < 2,24.1
(custom)
Affected: 0 , < 2.23.1 (custom) Affected: 0 , < 2.22.2 (custom) Affected: 0 , < 2.21.1 (custom) Affected: 0 , < 2.20.2 (custom) Affected: 0 , < 2.19.3 (custom) Affected: 0 , < 2.18.2 (custom) Affected: 0 , < 2.17.3 (custom) Affected: 0 , < 2.16.6 (custom) Affected: 0 , < 2.15.4 (custom) Affected: 0 , < 2.14.6 (custom) cpe:2.3:a:git:git:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "git",
"vendor": "git",
"versions": [
{
"lessThan": "2,24.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.23.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.22.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.21.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.20.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.19.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.18.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.17.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.16.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.15.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.14.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-1387",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T18:49:36.663475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T19:03:52.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:09:13.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"name": "RHSA-2019:4356",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4356"
},
{
"name": "RHSA-2020:0002",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0002"
},
{
"name": "FEDORA-2019-1cec196e20",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"
},
{
"name": "RHSA-2020:0124",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0124"
},
{
"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
},
{
"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Git",
"vendor": "Microsoft Corporation",
"versions": [
{
"status": "affected",
"version": "Before v2.24.1"
},
{
"status": "affected",
"version": "Before v2.23.1"
},
{
"status": "affected",
"version": "Before v2.22.2"
},
{
"status": "affected",
"version": "Before v2.21.1"
},
{
"status": "affected",
"version": "Before v2.20.2"
},
{
"status": "affected",
"version": "Before v2.19.3"
},
{
"status": "affected",
"version": "Before v2.18.2"
},
{
"status": "affected",
"version": "Before v2.17.3"
},
{
"status": "affected",
"version": "Before v2.16.6"
},
{
"status": "affected",
"version": "Before v2.15.4"
},
{
"status": "affected",
"version": "Before v2.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T10:06:04.659Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"
},
{
"name": "RHSA-2019:4356",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:4356"
},
{
"name": "RHSA-2020:0002",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0002"
},
{
"name": "FEDORA-2019-1cec196e20",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"
},
{
"name": "RHSA-2020:0124",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0124"
},
{
"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"
},
{
"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"
},
{
"name": "openSUSE-SU-2020:0123",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"
},
{
"name": "RHSA-2020:0228",
"tags": [
"vendor-advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0228"
},
{
"name": "GLSA-202003-30",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-30"
},
{
"name": "GLSA-202003-42",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-42"
},
{
"name": "openSUSE-SU-2020:0598",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
},
{
"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2019-1387",
"datePublished": "2019-12-18T20:11:53.000Z",
"dateReserved": "2018-11-26T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:09:13.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}