CVE-2019-1387 - An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.1

CVE-2019-1387

Summary

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

References

Vulnerable Configurations

cpe:2.3:a:git:git:2.14.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.4:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.4:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.5:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.14.5:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.15.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.3:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.4:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.4:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.5:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.16.5:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.17.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.18.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.18.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.18.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.18.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.19.2:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.20.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.20.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.20.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.20.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.21.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.21.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.22.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.22.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.22.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.22.1:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.23.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.23.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.24.0:*:*:*:*:*:*:*
cpe:2.3:a:git:git:2.24.0:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1781963
title	CVE-2019-1352 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND
comment git is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356001
comment git is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003006
AND
comment git-all is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356003
comment git-all is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003008
AND
comment git-core is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356005
comment git-core is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20194356006
AND
comment git-core-doc is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356007
comment git-core-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20194356008
AND
comment git-daemon is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356009
comment git-daemon is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003012

AND

comment git-debugsource is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356011
comment git-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20194356012

AND
comment git-email is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356013
comment git-email is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003014
AND
comment git-gui is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356015
comment git-gui is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003016
AND
comment git-instaweb is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356017
comment git-instaweb is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183408024
AND
comment git-subtree is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356019
comment git-subtree is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20194356020
AND
comment git-svn is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356021
comment git-svn is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003018
AND
comment gitk is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356023
comment gitk is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003020
AND
comment gitweb is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356025
comment gitweb is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003022
AND
comment perl-Git is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356027
comment perl-Git is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003024
AND
comment perl-Git-SVN is earlier than 0:2.18.2-1.el8_1
oval oval:com.redhat.rhsa:tst:20194356029
comment perl-Git-SVN is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152561032

rhsa

id	RHSA-2019:4356
released	2019-12-19
severity	Important
title	RHSA-2019:4356: git security update (Important)

bugzilla

id	1781127
title	CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment emacs-git is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124001
comment emacs-git is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003002

AND

comment emacs-git-el is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124003
comment emacs-git-el is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003004

AND
comment git is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124005
comment git is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003006
AND
comment git-all is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124007
comment git-all is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003008
AND
comment git-bzr is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124009
comment git-bzr is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152561010
AND
comment git-cvs is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124011
comment git-cvs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003010
AND
comment git-daemon is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124013
comment git-daemon is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003012
AND
comment git-email is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124015
comment git-email is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003014

AND

comment git-gnome-keyring is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124017
comment git-gnome-keyring is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183408018

AND
comment git-gui is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124019
comment git-gui is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003016
AND
comment git-hg is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124021
comment git-hg is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152561020

AND

comment git-instaweb is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124023
comment git-instaweb is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183408024

AND
comment git-p4 is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124025
comment git-p4 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152561022
AND
comment git-svn is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124027
comment git-svn is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003018
AND
comment gitk is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124029
comment gitk is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003020
AND
comment gitweb is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124031
comment gitweb is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003022
AND
comment perl-Git is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124033
comment perl-Git is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20101003024

AND

comment perl-Git-SVN is earlier than 0:1.8.3.1-21.el7_7
oval oval:com.redhat.rhsa:tst:20200124035
comment perl-Git-SVN is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152561032

rhsa

id	RHSA-2020:0124
released	2020-01-16
severity	Important
title	RHSA-2020:0124: git security update (Important)

rhsa
id RHSA-2020:0002
rhsa
id RHSA-2020:0228

rpms

git-0:2.18.2-1.el8_1
git-all-0:2.18.2-1.el8_1
git-core-0:2.18.2-1.el8_1
git-core-debuginfo-0:2.18.2-1.el8_1
git-core-doc-0:2.18.2-1.el8_1
git-daemon-0:2.18.2-1.el8_1
git-daemon-debuginfo-0:2.18.2-1.el8_1
git-debuginfo-0:2.18.2-1.el8_1
git-debugsource-0:2.18.2-1.el8_1
git-email-0:2.18.2-1.el8_1
git-gui-0:2.18.2-1.el8_1
git-instaweb-0:2.18.2-1.el8_1
git-subtree-0:2.18.2-1.el8_1
git-svn-0:2.18.2-1.el8_1
git-svn-debuginfo-0:2.18.2-1.el8_1
gitk-0:2.18.2-1.el8_1
gitweb-0:2.18.2-1.el8_1
perl-Git-0:2.18.2-1.el8_1
perl-Git-SVN-0:2.18.2-1.el8_1
rh-git218-git-0:2.18.2-1.el7
rh-git218-git-all-0:2.18.2-1.el7
rh-git218-git-core-0:2.18.2-1.el7
rh-git218-git-core-doc-0:2.18.2-1.el7
rh-git218-git-cvs-0:2.18.2-1.el7
rh-git218-git-daemon-0:2.18.2-1.el7
rh-git218-git-debuginfo-0:2.18.2-1.el7
rh-git218-git-email-0:2.18.2-1.el7
rh-git218-git-gui-0:2.18.2-1.el7
rh-git218-git-instaweb-0:2.18.2-1.el7
rh-git218-git-p4-0:2.18.2-1.el7
rh-git218-git-subtree-0:2.18.2-1.el7
rh-git218-git-svn-0:2.18.2-1.el7
rh-git218-gitk-0:2.18.2-1.el7
rh-git218-gitweb-0:2.18.2-1.el7
rh-git218-perl-Git-0:2.18.2-1.el7
rh-git218-perl-Git-SVN-0:2.18.2-1.el7
emacs-git-0:1.8.3.1-21.el7_7
emacs-git-el-0:1.8.3.1-21.el7_7
git-0:1.8.3.1-21.el7_7
git-all-0:1.8.3.1-21.el7_7
git-bzr-0:1.8.3.1-21.el7_7
git-cvs-0:1.8.3.1-21.el7_7
git-daemon-0:1.8.3.1-21.el7_7
git-debuginfo-0:1.8.3.1-21.el7_7
git-email-0:1.8.3.1-21.el7_7
git-gnome-keyring-0:1.8.3.1-21.el7_7
git-gui-0:1.8.3.1-21.el7_7
git-hg-0:1.8.3.1-21.el7_7
git-instaweb-0:1.8.3.1-21.el7_7
git-p4-0:1.8.3.1-21.el7_7
git-svn-0:1.8.3.1-21.el7_7
gitk-0:1.8.3.1-21.el7_7
gitweb-0:1.8.3.1-21.el7_7
perl-Git-0:1.8.3.1-21.el7_7
perl-Git-SVN-0:1.8.3.1-21.el7_7
git-0:2.18.2-1.el8_0
git-all-0:2.18.2-1.el8_0
git-core-0:2.18.2-1.el8_0
git-core-debuginfo-0:2.18.2-1.el8_0
git-core-doc-0:2.18.2-1.el8_0
git-daemon-0:2.18.2-1.el8_0
git-daemon-debuginfo-0:2.18.2-1.el8_0
git-debuginfo-0:2.18.2-1.el8_0
git-debugsource-0:2.18.2-1.el8_0
git-email-0:2.18.2-1.el8_0
git-gui-0:2.18.2-1.el8_0
git-instaweb-0:2.18.2-1.el8_0
git-subtree-0:2.18.2-1.el8_0
git-svn-0:2.18.2-1.el8_0
git-svn-debuginfo-0:2.18.2-1.el8_0
gitk-0:2.18.2-1.el8_0
gitweb-0:2.18.2-1.el8_0
perl-Git-0:2.18.2-1.el8_0
perl-Git-SVN-0:2.18.2-1.el8_0

refmap via4

confirm	https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
fedora	FEDORA-2019-1cec196e20
gentoo	GLSA-202003-30 GLSA-202003-42
misc	https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
mlist	[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update
suse	openSUSE-SU-2020:0123 openSUSE-SU-2020:0598

Last major update

24-08-2020 - 17:37

Published

18-12-2019 - 21:15

Last modified

24-08-2020 - 17:37