CVE-2019-1387

Name
CVE-2019-1387
Description
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
vendor-advisory https://access.redhat.com/errata/RHSA-2019:4356
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0002
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0124
mailing-list https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html
MISC https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
vendor-advisory http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0228
vendor-advisory https://security.gentoo.org/glsa/202003-30
vendor-advisory https://security.gentoo.org/glsa/202003-42
vendor-advisory http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
mailing-list https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

Match rules

CPE URI Source package Min version Max version
git == Before v2.24.1 == Before v2.24.1
git == Before v2.23.1 == Before v2.23.1
git == Before v2.22.2 == Before v2.22.2
git == Before v2.21.1 == Before v2.21.1
git == Before v2.20.2 == Before v2.20.2
git == Before v2.19.3 == Before v2.19.3
git == Before v2.18.2 == Before v2.18.2
git == Before v2.17.3 == Before v2.17.3
git == Before v2.16.6 == Before v2.16.6
git == Before v2.15.4 == Before v2.15.4
git == Before v2.14.6 == Before v2.14.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
git 3.20-main 2.45.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.19-main 2.43.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.18-main 2.40.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.17-main 2.38.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git edge-main 2.46.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed