CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24765 – Uncontrolled search for the Git directory in Git for Windows
https://notcve.org/view.php?id=CVE-2022-24765
12 Apr 2022 — Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. • http://seclists.org/fulldisclosure/2022/May/31 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-24975
https://notcve.org/view.php?id=CVE-2022-24975
11 Feb 2022 — The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk. La documentación --mirror para Git versiones hasta 2.35.1, no menciona la disponibilidad del contenid... • https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-40330 – Ubuntu Security Notice USN-5076-1
https://notcve.org/view.php?id=CVE-2021-40330
31 Aug 2021 — git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. La función git_connect_git en el archivo connect.c en Git versiones anteriores a 2.30.1, permite que la ruta de un repositorio contenga un carácter de nueva línea, que puede resultar en peticiones inesperadas entre protocolos, como es demostrado en la subcadena g... • https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473 •
CVSS: 8.0EPSS: 79%CPEs: 21EXPL: 15CVE-2021-21300 – malicious repositories can execute remote code while cloning
https://notcve.org/view.php?id=CVE-2021-21300
09 Mar 2021 — Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is theref... • https://packetstorm.news/files/id/163978 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 1%CPEs: 16EXPL: 0CVE-2020-11008 – Malicious URLs can still cause Git to send a stored credential to the wrong server
https://notcve.org/view.php?id=CVE-2020-11008
21 Apr 2020 — Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafte... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html • CWE-20: Improper Input Validation CWE-522: Insufficiently Protected Credentials •
CVSS: 9.3EPSS: 21%CPEs: 20EXPL: 4CVE-2020-5260 – malicious URLs may cause Git to present stored credentials to the wrong server
https://notcve.org/view.php?id=CVE-2020-5260
14 Apr 2020 — Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.examp... • https://packetstorm.news/files/id/157250 • CWE-20: Improper Input Validation CWE-522: Insufficiently Protected Credentials •
CVSS: 9.3EPSS: 2%CPEs: 10EXPL: 1CVE-2019-19604 – Ubuntu Security Notice USN-4220-1
https://notcve.org/view.php?id=CVE-2019-19604
10 Dec 2019 — Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. Una ejecución de comandos arbitrarios es posible en Git versiones anteriores a 2.20.2, versiones 2.21.x anteriores a 2.21.1, versiones 2.22.x anteriores a 2.22.2, versiones 2.23.x anteriores a 2.23.1 y versiones 2.24.x anteriores a 2.24.1, po... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-862: Missing Authorization •
CVSS: 3.6EPSS: 0%CPEs: 12EXPL: 0CVE-2019-1348 – git: Arbitrary path overwriting via export-marks in-stream command feature
https://notcve.org/view.php?id=CVE-2019-1348
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. Se encontró un problema en Git anterior a la versión v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6 La opción --export-marks de git fast-import también se expone a trav... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2019-1353 – Gentoo Linux Security Advisory 202003-30
https://notcve.org/view.php?id=CVE-2019-1353
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. El controlador IEC870IP para Vijeo Citect y Citect SCADA de AVENA y Power SCADA Operation de Schneider Electric, presenta una vulnerabilidad de desbordamiento de búfer que podría resultar en un bl... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html •
CVSS: 8.8EPSS: 2%CPEs: 11EXPL: 0CVE-2019-1387 – git: Remote code execution in recursive clones with nested submodules
https://notcve.org/view.php?id=CVE-2019-1387
10 Dec 2019 — An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. Se encontró un problema en Git versiones anteriores a v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6. Los clones recursivos están... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html • CWE-20: Improper Input Validation •