{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-01T23:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"name": "DSA-4581", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4581"}, {"name": "[oss-security] 20191213 Multiple vulnerabilities fixed in Git", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/12/13/1"}, {"name": "FEDORA-2019-c841bcc3b9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/"}, {"name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"name": "GLSA-202003-30", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-30"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19604", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md", "refsource": "MISC", "url": "https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md"}, {"name": "https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt", "refsource": "CONFIRM", "url": "https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt"}, {"name": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/", "refsource": "CONFIRM", "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/"}, {"name": "DSA-4581", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4581"}, {"name": "[oss-security] 20191213 Multiple vulnerabilities fixed in Git", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/12/13/1"}, {"name": "FEDORA-2019-c841bcc3b9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/"}, {"name": "FEDORA-2019-1cec196e20", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"name": "openSUSE-SU-2020:0123", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"name": "GLSA-202003-30", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-30"}, {"name": "openSUSE-SU-2020:0598", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:11.529Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"name": "DSA-4581", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4581"}, {"name": "[oss-security] 20191213 Multiple vulnerabilities fixed in Git", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/12/13/1"}, {"name": "FEDORA-2019-c841bcc3b9", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/"}, {"name": "FEDORA-2019-1cec196e20", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"name": "openSUSE-SU-2020:0123", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"name": "GLSA-202003-30", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-30"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19604", "datePublished": "2019-12-10T23:33:06", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-05T02:25:11.529Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "539A3B25-6523-4357-8B86-EC679711F48B", "versionEndExcluding": "2.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "4392299F-8DFB-4ADF-BAA8-4415D459E8EE", "versionEndExcluding": "2.21.1", "versionStartIncluding": "2.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "025C10E9-40A6-408C-AE2C-5FC55E788775", "versionEndExcluding": "2.22.2", "versionStartIncluding": "2.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9073ABE-276B-4301-B39C-B9BB6C1AA681", "versionEndExcluding": "2.23.1", "versionStartIncluding": "2.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6D58347-1CE3-4AEA-9617-2F46CCBE167E", "versionEndExcluding": "2.24.1", "versionStartIncluding": "2.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository."}, {"lang": "es", "value": "Una ejecuci\u00f3n de comandos arbitrarios es posible en Git versiones anteriores a 2.20.2, versiones 2.21.x anteriores a 2.21.1, versiones 2.22.x anteriores a 2.22.2, versiones 2.23.x anteriores a 2.23.1 y versiones 2.24.x anteriores a 2.24.1, porque una operaci\u00f3n \"git submodule update\" puede ejecutar comandos encontrados en el archivo .gitmodules de un repositorio malicioso."}], "id": "CVE-2019-19604", "lastModified": "2023-11-07T03:07:43.407", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-11T00:15:13.260", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/13/1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCYSSCA5ZTEP46SB4XRPSQGFV2L3NKMZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"}, {"source": "cve@mitre.org", "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-30"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4581"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent", "id": "1781971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1781971"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-807", "details": ["Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a \"git submodule update\" operation can run commands found in the .gitmodules file of a malicious repository.", "A security bypass was discovered in git, which allows arbitrary commands to be executed during the update of git submodules. A remote attacker may trick a victim user into cloning a malicious repository that initially looks fine, allowing access to bypass the security mechanisms that prevent the execution of arbitrary commands during the submodule initialization. After following an update of the repository and the submodules done by the victim user, vulnerable versions of git may use the update setting in the .gitmodules file and execute arbitrary commands."], "name": "CVE-2019-19604", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-git", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "camel-git", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-git218-git", "product_name": "Red Hat Software Collections"}], "public_date": "2019-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-19604\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19604\nhttps://github.com/git/git/security/advisories/GHSA-cj5c-9839-g2ch"], "statement": "This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6, and 7 as they did not support custom commands as a valid update setting for submodules.\nThis issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 8 as they did no re-read the update setting from the .gitmodules file after the initialization of the submodules.", "threat_severity": "Moderate", "upstream_fix": "git 2.24.1, git 2.23.1, git 2.22.2, git 2.21.1, git 2.20.2"}