{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-1387", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "dateUpdated": "2024-08-04T18:13:30.492Z", "dateReserved": "2018-11-26T00:00:00", "datePublished": "2019-12-18T20:11:53"}, "containers": {"cna": {"providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-26T10:06:04.659245"}, "descriptions": [{"lang": "en", "value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones."}], "affected": [{"vendor": "Microsoft Corporation", "product": "Git", "versions": [{"version": "Before v2.24.1", "status": "affected"}, {"version": "Before v2.23.1", "status": "affected"}, {"version": "Before v2.22.2", "status": "affected"}, {"version": "Before v2.21.1", "status": "affected"}, {"version": "Before v2.20.2", "status": "affected"}, {"version": "Before v2.19.3", "status": "affected"}, {"version": "Before v2.18.2", "status": "affected"}, {"version": "Before v2.17.3", "status": "affected"}, {"version": "Before v2.16.6", "status": "affected"}, {"version": "Before v2.15.4", "status": "affected"}, {"version": "Before v2.14.6", "status": "affected"}]}], "references": [{"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"}, {"name": "RHSA-2019:4356", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:4356"}, {"name": "RHSA-2020:0002", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0002"}, {"name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"name": "RHSA-2020:0124", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0124"}, {"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"}, {"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"name": "RHSA-2020:0228", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0228"}, {"name": "GLSA-202003-30", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202003-30"}, {"name": "GLSA-202003-42", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202003-42"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Remote Code Execution"}]}]}, "adp": [{"affected": [{"vendor": "git", "product": "git", "cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2,24.1", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.23.1", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.22.2", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.21.1", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.20.2", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.19.3", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.18.2", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.17.3", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.16.6", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.15.4", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.14.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T18:49:36.663475Z", "id": "CVE-2019-1387", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:03:52.040Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:13:30.492Z"}, "title": "CVE Program Container", "references": [{"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u", "tags": ["x_transferred"]}, {"name": "RHSA-2019:4356", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:4356"}, {"name": "RHSA-2020:0002", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0002"}, {"name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"name": "RHSA-2020:0124", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0124"}, {"name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"}, {"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/", "tags": ["x_transferred"]}, {"name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"name": "RHSA-2020:0228", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0228"}, {"name": "GLSA-202003-30", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-30"}, {"name": "GLSA-202003-42", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-42"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2019:4356", "name": "RHSA-2019:4356", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0002", "name": "RHSA-2020:0002", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/", "name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0124", "name": "RHSA-2020:0124", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html", "name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/", "tags": ["x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html", "name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0228", "name": "RHSA-2020:0228", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202003-30", "name": "GLSA-202003-30", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202003-42", "name": "GLSA-202003-42", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html", "name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:13:30.492Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-1387", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-19T18:49:36.663475Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"], "vendor": "git", "product": "git", "versions": [{"status": "affected", "version": "0", "lessThan": "2,24.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.23.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.22.2", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.21.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.20.2", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.19.3", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.18.2", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.17.3", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.16.6", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.15.4", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.14.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:03:30.617Z"}}], "cna": {"affected": [{"vendor": "Microsoft Corporation", "product": "Git", "versions": [{"status": "affected", "version": "Before v2.24.1"}, {"status": "affected", "version": "Before v2.23.1"}, {"status": "affected", "version": "Before v2.22.2"}, {"status": "affected", "version": "Before v2.21.1"}, {"status": "affected", "version": "Before v2.20.2"}, {"status": "affected", "version": "Before v2.19.3"}, {"status": "affected", "version": "Before v2.18.2"}, {"status": "affected", "version": "Before v2.17.3"}, {"status": "affected", "version": "Before v2.16.6"}, {"status": "affected", "version": "Before v2.15.4"}, {"status": "affected", "version": "Before v2.14.6"}]}], "references": [{"url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"}, {"url": "https://access.redhat.com/errata/RHSA-2019:4356", "name": "RHSA-2019:4356", "tags": ["vendor-advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0002", "name": "RHSA-2020:0002", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/", "name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0124", "name": "RHSA-2020:0124", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html", "name": "[debian-lts-announce] 20200123 [SECURITY] [DLA 2059-1] git security update", "tags": ["mailing-list"]}, {"url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html", "name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2020:0228", "name": "RHSA-2020:0228", "tags": ["vendor-advisory"]}, {"url": "https://security.gentoo.org/glsa/202003-30", "name": "GLSA-202003-30", "tags": ["vendor-advisory"]}, {"url": "https://security.gentoo.org/glsa/202003-42", "name": "GLSA-202003-42", "tags": ["vendor-advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html", "name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html", "name": "[debian-lts-announce] 20240626 [SECURITY] [DLA 3844-1] git security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Remote Code Execution"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-26T10:06:04.659245"}}}, "cveMetadata": {"cveId": "CVE-2019-1387", "state": "PUBLISHED", "dateUpdated": "2024-08-04T18:13:30.492Z", "dateReserved": "2018-11-26T00:00:00", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2019-12-18T20:11:53", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD0FE176-63B7-4176-8319-80CD3D7C524E", "versionEndExcluding": "2.14.6", "versionStartIncluding": "2.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FA79B4D-1A29-4520-ACF7-BBD5B2696ABA", "versionEndExcluding": "2.15.4", "versionStartIncluding": "2.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB018182-B15F-47BC-85FA-6847BB37844A", "versionEndExcluding": "2.16.6", "versionStartIncluding": "2.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "19CF821B-9ECC-4F6C-B0BC-7361370776C5", "versionEndExcluding": "2.17.3", "versionStartIncluding": "2.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "84278A89-0D1B-4CFD-9B31-68D8D7327E65", "versionEndExcluding": "2.18.2", "versionStartIncluding": "2.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B4FA857-692C-4C00-A170-1F31E6D9563E", "versionEndExcluding": "2.19.3", "versionStartIncluding": "2.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD4C8899-C9E7-4DFC-BE17-D5D67B9B5FFB", "versionEndExcluding": "2.20.2", "versionStartIncluding": "2.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "025C10E9-40A6-408C-AE2C-5FC55E788775", "versionEndExcluding": "2.22.2", "versionStartIncluding": "2.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:*", "matchCriteriaId": "A2FDF378-11FC-414D-8F4B-04BE6269C49A", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:*", "matchCriteriaId": "018467BF-01DC-40EE-99F4-0E8375A615DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:*", "matchCriteriaId": "B977B43D-A0F8-4367-8BA4-96C12CF10002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones."}, {"lang": "es", "value": "Se encontr\u00f3 un problema en Git versiones anteriores a v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6. Los clones recursivos est\u00e1n actualmente afectados por una vulnerabilidad causada por una comprobaci\u00f3n too-lax de los nombres de subm\u00f3dulos, permitiendo ataques muy espec\u00edficos por medio de una ejecuci\u00f3n de c\u00f3digo remota en clones recursivos."}], "id": "CVE-2019-1387", "lastModified": "2024-06-26T10:15:10.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-18T21:15:13.820", "references": [{"source": "secure@microsoft.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"source": "secure@microsoft.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"source": "secure@microsoft.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:4356"}, {"source": "secure@microsoft.com", "url": "https://access.redhat.com/errata/RHSA-2020:0002"}, {"source": "secure@microsoft.com", "url": "https://access.redhat.com/errata/RHSA-2020:0124"}, {"source": "secure@microsoft.com", "url": "https://access.redhat.com/errata/RHSA-2020:0228"}, {"source": "secure@microsoft.com", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"}, {"source": "secure@microsoft.com", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"}, {"source": "secure@microsoft.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"source": "secure@microsoft.com", "url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"}, {"source": "secure@microsoft.com", "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"source": "secure@microsoft.com", "url": "https://security.gentoo.org/glsa/202003-30"}, {"source": "secure@microsoft.com", "url": "https://security.gentoo.org/glsa/202003-42"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0124", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "git-0:1.8.3.1-21.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-01-16T00:00:00Z"}, {"advisory": "RHSA-2019:4356", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.18.2-1.el8_1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-12-19T00:00:00Z"}, {"advisory": "RHSA-2020:0228", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "git-0:2.18.2-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-01-27T00:00:00Z"}, {"advisory": "RHSA-2020:0002", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-01-02T00:00:00Z"}, {"advisory": "RHSA-2020:0002", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-01-02T00:00:00Z"}, {"advisory": "RHSA-2020:0002", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-01-02T00:00:00Z"}, {"advisory": "RHSA-2020:0002", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.2-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-01-02T00:00:00Z"}], "bugzilla": {"description": "git: Remote code execution in recursive clones with nested submodules", "id": "1781127", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1781127"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.", "A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine."], "mitigation": {"lang": "en:us", "value": "Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories."}, "name": "CVE-2019-1387", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "camel-git", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-git", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2019-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1387\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1387\nhttps://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2"], "statement": "This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.", "threat_severity": "Important", "upstream_fix": "git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2, git 2.19.3, git 2.18.2, git 2.17.3, git 2.16.6, git 2.15.4, git 2.14.6"}