Vulnerability Details : CVE-2019-1387
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Vulnerability category: Execute code
Products affected by CVE-2019-1387
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1387
8.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1387
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2019-1387
-
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
[security-announce] openSUSE-SU-2020:0598-1: moderate: Security update f
-
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
[SECURITY] [DLA 3844-1] git security update
-
https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
[ANNOUNCE] Git v2.24.1 and others - Junio C Hamano
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
[security-announce] openSUSE-SU-2020:0123-1: important: Security update
-
https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html
[SECURITY] [DLA 2059-1] git security update
-
https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
[ANNOUNCE] Git v2.24.1 and others - Junio C Hamano
-
https://access.redhat.com/errata/RHSA-2020:0228
RHSA-2020:0228 - Security Advisory - Red Hat Customer Portal
-
https://security.gentoo.org/glsa/202003-42
libgit2: Multiple vulnerabilities (GLSA 202003-42) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
[SECURITY] Fedora 30 Update: git-2.21.1-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://security.gentoo.org/glsa/202003-30
Git: Multiple vulnerabilities (GLSA 202003-30) — Gentoo security
-
https://access.redhat.com/errata/RHSA-2020:0002
RHSA-2020:0002 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2019:4356
RHSA-2019:4356 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
[SECURITY] Fedora 30 Update: git-2.21.1-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u
[ANNOUNCE] Git v2.24.1 and others
-
https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
[ANNOUNCE] Git v2.24.1 and othersThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0124
RHSA-2020:0124 - Security Advisory - Red Hat Customer Portal
Jump to