CVE-2019-1387

Name
CVE-2019-1387
Description
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
vendor-advisory https://access.redhat.com/errata/RHSA-2019:4356
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0002
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0124
mailing-list https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html
MISC https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
vendor-advisory http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
vendor-advisory https://access.redhat.com/errata/RHSA-2020:0228
vendor-advisory https://security.gentoo.org/glsa/202003-30
vendor-advisory https://security.gentoo.org/glsa/202003-42
vendor-advisory http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
mailing-list https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html

Match rules

CPE URI Source package Min version Max version
git == Before v2.24.1 == Before v2.24.1
git == Before v2.23.1 == Before v2.23.1
git == Before v2.22.2 == Before v2.22.2
git == Before v2.21.1 == Before v2.21.1
git == Before v2.20.2 == Before v2.20.2
git == Before v2.19.3 == Before v2.19.3
git == Before v2.18.2 == Before v2.18.2
git == Before v2.17.3 == Before v2.17.3
git == Before v2.16.6 == Before v2.16.6
git == Before v2.15.4 == Before v2.15.4
git == Before v2.14.6 == Before v2.14.6
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.14.0 < 2.14.6
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.15.0 < 2.15.4
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.16.0 < 2.16.6
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.17.0 < 2.17.3
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.18.0 < 2.18.2
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.19.0 < 2.19.3
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.20.0 < 2.20.2
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:* git >= 2.22.0 < 2.22.2
cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:* git == None == 2.21.0
cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:* git == None == 2.23.0
cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:* git == None == 2.24.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libgit2-1.5 edge-community 0.28.4-r0 None fixed
libgit2-1.1 edge-community 0.28.4-r0 None fixed
libgit2-1.0 edge-community 0.28.4-r0 None fixed
libgit2 edge-community 0.28.4-r0 None fixed
libgit2 3.22-community 0.28.4-r0 None fixed
libgit2 3.21-community 0.28.4-r0 None fixed
libgit2 3.20-community 0.28.4-r0 None fixed
libgit2 3.19-community 0.28.4-r0 None fixed
libgit2 3.18-community 0.28.4-r0 None fixed
libgit2 3.17-community 0.28.4-r0 None fixed
libgit2 3.11-main 0.28.4-r0 None fixed
git edge-main 2.46.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git edge-main 2.45.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
git edge-main 2.24.1-r0 None fixed
git edge-main 2.19.1-r0 None possibly vulnerable
git edge-main 2.17.1-r0 None possibly vulnerable
git edge-main 2.14.1-r0 None possibly vulnerable
git 3.22-main 2.24.1-r0 None fixed
git 3.22-main 2.19.1-r0 None possibly vulnerable
git 3.22-main 2.17.1-r0 None possibly vulnerable
git 3.22-main 2.14.1-r0 None possibly vulnerable
git 3.21-main 2.24.1-r0 None fixed
git 3.21-main 2.19.1-r0 None possibly vulnerable
git 3.21-main 2.17.1-r0 None possibly vulnerable
git 3.21-main 2.14.1-r0 None possibly vulnerable
git 3.20-main 2.45.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.20-main 2.24.1-r0 None fixed
git 3.20-main 2.19.1-r0 None possibly vulnerable
git 3.20-main 2.17.1-r0 None possibly vulnerable
git 3.20-main 2.14.1-r0 None possibly vulnerable
git 3.19-main 2.43.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.19-main 2.24.1-r0 None fixed
git 3.19-main 2.19.1-r0 None possibly vulnerable
git 3.19-main 2.17.1-r0 None possibly vulnerable
git 3.19-main 2.14.1-r0 None possibly vulnerable
git 3.18-main 2.40.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.18-main 2.24.1-r0 None fixed
git 3.17-main 2.38.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
git 3.17-main 2.24.1-r0 None fixed
git 3.12-main 2.24.1-r0 None fixed
git 3.11-main 2.24.1-r0 None fixed
git 3.10-main 2.22.2-r0 None fixed