CVE-2019-1387

Name
CVE-2019-1387
Description
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:4356
REDHAT https://access.redhat.com/errata/RHSA-2020:0002
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
REDHAT https://access.redhat.com/errata/RHSA-2020:0124
MLIST https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html
MISC https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
REDHAT https://access.redhat.com/errata/RHSA-2020:0228
GENTOO https://security.gentoo.org/glsa/202003-30
GENTOO https://security.gentoo.org/glsa/202003-42
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.14.0 < 2.14.6
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.15.0 < 2.15.4
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.16.0 < 2.16.6
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.17.0 < 2.17.3
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.18.0 < 2.18.2
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.19.0 < 2.19.3
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.20.0 < 2.20.2
cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:* git == None == 2.21.0
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.22.0 < 2.22.2
cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:* git == None == 2.23.0
cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:* git == None == 2.24.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status