Multiple vulnerabilities in Git
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2019-1354 CVE-2019-1387 CVE-2019-19604 CVE-2019-1353 CVE-2019-1352 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1348 |
| CWE-ID | CWE-20 CWE-78 CWE-276 CWE-36 CWE-22 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
Git Client/Desktop applications / Software for system administration |
| Vendor | Git |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU23491
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-1354
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14.0 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Input validation error
EUVDB-ID: #VU23488
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-1387
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14.0 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) OS Command Injection
EUVDB-ID: #VU23556
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-19604
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to a "git submodule update" operation can run commands found in the ".gitmodules" file of a malicious repository. A remote unauthenticated attacker can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.20.0 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Incorrect default permissions
EUVDB-ID: #VU23555
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2019-1353
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists to due none of the NTFS protections are active when accessing a working directory on a regular Windows drive. A local user with access to the system can view contents of files and directories or modify them.
Note: This vulnerability occurs when running Git in the Windows Subsystem for Linux (also known as "WSL").
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14.0 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
5) Input validation error
EUVDB-ID: #VU23492
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-1352
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
6) Input validation error
EUVDB-ID: #VU23494
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-1349
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
7) Input validation error
EUVDB-ID: #VU23493
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-1350
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
8) Absolute Path Traversal
EUVDB-ID: #VU23500
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2019-1351
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to the Git for Visual Studio improperly handles virtual drive paths. A remote attacker can clone a file using a specially crafted path and write arbitrary files and directories to certain locations on a vulnerable system.
Mitigation
Install updates from vendor's website.
Vulnerable software versionsGit: 2.14 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
9) Path traversal
EUVDB-ID: #VU23554
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2019-1348
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when the export-marks option of git fast-import is exposed also via the in-stream command feature. A remote attacker can send a specially crafted HTTP request and overwrite arbitrary paths on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGit: 2.14.0 - 2.24.0
Fixed software versionsCPE2.3 External links
http://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
