Risk | High |
Patch available | YES |
Number of vulnerabilities | 20 |
CVE-ID | CVE-2019-1348 CVE-2019-13484 CVE-2019-13486 CVE-2019-13485 CVE-2019-1349 CVE-2019-13496 CVE-2019-13498 CVE-2019-13497 CVE-2019-1352 CVE-2019-13525 CVE-2019-13529 CVE-2019-13521 CVE-2019-13527 CVE-2019-13528 CVE-2019-13523 CVE-2019-13522 CVE-2019-13526 CVE-2019-13520 CVE-2019-1387 CVE-2019-19604 |
CWE-ID | CWE-22 CWE-119 CWE-121 CWE-20 CWE-354 CWE-300 CWE-352 CWE-306 CWE-77 CWE-824 CWE-285 CWE-284 CWE-288 CWE-78 |
Exploitation vector | Network |
Public exploit |
Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #20 is available. |
Vulnerable software |
Arch Linux Operating systems & Components / Operating system |
Vendor | Arch Linux |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
EUVDB-ID: #VU23554
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1348
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when the export-marks option of git fast-import is exposed also via the in-stream command feature. A remote attacker can send a specially crafted HTTP request and overwrite arbitrary paths on the system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21083
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13484
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the status-log viewer CGI because of expansion in the "appfeed.c". A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21082
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13486
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access or modify data, or cause a denial of service (DoS) condition on an affected system.
The vulnerability exists in the status-log viewer component due to a boundary error in the "svcstatus.c" file because the software does not properly validate user-supplied input. A remote unauthenticated attacker can submit malicious input, trigger stack-based buffer overflow and access or modify data, or cause a DoS condition on the affected system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21060
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13485
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing a long hostname or service parameter in history.c within the in the history viewer component. A remote authenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23494
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1349
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22542
Risk: High
CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13496
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
Update the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU22528
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13498
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU22527
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13497
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in logout requests. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23492
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1352
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22283
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13525
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21726
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/RC:C]
CVE-ID: CVE-2019-13529
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU21332
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13521
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands.
Update the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21330
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13527
CWE-ID:
CWE-824 - Access of Uninitialized Pointer
Exploit availability: No
DescriptionUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21231
Risk: Low
CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13528
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU21209
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13523
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the integrated web server of the affected devices allows to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders). A remote attacker can gain unauthorized access to view device configuration information.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU20839
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13522
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the application. A remote attacker can create a specially crafted project file, trick the victim into opening it, trigger memory corruption and execute arbitrary code under the privileges of the application.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU20419
Risk: Medium
CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13526
CWE-ID:
CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Exploit availability: No
DescriptionUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU20346
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13520
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the affected application when processing SDP files. A remote unauthenticated attacker can send a specially crafted project files, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23488
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1387
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU23556
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19604
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to a "git submodule update" operation can run commands found in the ".gitmodules" file of a malicious repository. A remote unauthenticated attacker can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package git to version 2.24.1-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-201912-6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.