Main Vulnerability Database Vulnerabilities #VU23556

OS Command Injection in Git - CVE-2019-19604

Published: December 12, 2019

Vulnerability identifier: #VU23556

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2019-19604

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Git

Software vendor:
Git

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to a "git submodule update" operation can run commands found in the ".gitmodules" file of a malicious repository. A remote unauthenticated attacker can execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt
https://www.debian.org/security/2019/dsa-4581

OS Command Injection in Git - CVE-2019-19604

Description

Remediation

External links

Please verify you're human