#VU23500 Absolute Path Traversal in Git


Published: 2019-12-10 | Updated: 2019-12-11

Vulnerability identifier: #VU23500

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-1351

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the Git for Visual Studio improperly handles virtual drive paths. A remote attacker can clone a file using a specially crafted path and write arbitrary files and directories to certain locations on a vulnerable system.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.24.0, 2.23.0, 2.22.0 - 2.22.1, 2.21.0, 2.20.0 - 2.20.1, 2.19.0 - 2.19.2, 2.17.0 - 2.17.2, 2.16.0 - 2.16.5, 2.15.0 - 2.15.3, 2.14 - 2.14.5, 2.18.0 - 2.18.1

Fixed software versions

CPE

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Absolute Path Traversal in libgit2-1.0 (Alpine package)
OpenSUSE Linux update for git
Gentoo update for Git
OpenSUSE Linux update for git
Multiple vulnerabilities in Git
Ubuntu update for Git
Amazon Linux AMI update for git
Multiple vulnerabilities in Microsoft Git for Visual Studio
Absolute Path Traversal in git (Alpine package)
Absolute Path Traversal in libgit2 (Alpine package)