CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-30947
https://notcve.org/view.php?id=CVE-2022-30947
17 May 2022 — Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. El Plugin Git de Jenkins versiones 4.11.1 y anteriores, permiten a atacantes configurar los pipelines para comprobar algunos repositorios SCM almacenados en el sistema de archivos del controlador de Jenkins usando rutas locales como URLs SCM, obtenie... • http://www.openwall.com/lists/oss-security/2022/05/17/8 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24765 – Uncontrolled search for the Git directory in Git for Windows
https://notcve.org/view.php?id=CVE-2022-24765
12 Apr 2022 — Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. • http://seclists.org/fulldisclosure/2022/May/31 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-24975
https://notcve.org/view.php?id=CVE-2022-24975
11 Feb 2022 — The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk. La documentación --mirror para Git versiones hasta 2.35.1, no menciona la disponibilidad del contenid... • https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-46101
https://notcve.org/view.php?id=CVE-2021-46101
31 Jan 2022 — In Git for windows through 2.34.1 when using git pull to update the local warehouse, git.cmd can be run directly. En Git para windows versiones hasta 2.34.1, cuando es usado git pull para actualizar el almacén local, puede ejecutarse directamente git.cmd • https://github.com/0xADY/git_rce •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21684 – jenkins-2-plugins/git: stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2021-21684
06 Oct 2021 — Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability. El plugin Git de Jenkins versiones 4.8.2 y anteriores, no escapa a los parámetros de suma de comprobación Git SHA-1 proporcionados a las notificaciones de commit cuando se muestran en una causa de construcción, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado... • http://www.openwall.com/lists/oss-security/2021/10/06/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-40330 – Ubuntu Security Notice USN-5076-1
https://notcve.org/view.php?id=CVE-2021-40330
31 Aug 2021 — git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. La función git_connect_git en el archivo connect.c en Git versiones anteriores a 2.30.1, permite que la ruta de un repositorio contenga un carácter de nueva línea, que puede resultar en peticiones inesperadas entre protocolos, como es demostrado en la subcadena g... • https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29468 – Arbitrary code execution when checking out an attacker-controlled Git branch
https://notcve.org/view.php?id=CVE-2021-29468
29 Apr 2021 — Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream... • https://cygwin.com/pipermail/cygwin-announce/2021-April/010018.html • CWE-20: Improper Input Validation •
CVSS: 8.0EPSS: 75%CPEs: 21EXPL: 15CVE-2021-21300 – malicious repositories can execute remote code while cloning
https://notcve.org/view.php?id=CVE-2021-21300
09 Mar 2021 — Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is theref... • https://packetstorm.news/files/id/163978 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2136 – jenkins-git-plugin: stored cross-site scripting
https://notcve.org/view.php?id=CVE-2020-2136
09 Mar 2020 — Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability. Jenkins Git Plugin versiones 4.2.0 y anteriores, no escapa al mensaje de error de la URL del repositorio para la comprobación del formulario del campo TFS de Microsoft, resultando en una vulnerabilidad de tipo cross-site scripting almacenado. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes... • http://www.openwall.com/lists/oss-security/2020/03/09/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003010
https://notcve.org/view.php?id=CVE-2019-1003010
06 Feb 2019 — A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. Existe una vulnerabilidad Cross-Site Request Forgery (CSRF) en Jenkins Git Plugin, en versiones 3.9.1 y anteriores, en src/main/java/hudson/plugins/git/GitTagAction.java, que permite que los atacantes creen una etiqueta Git en un espacio de trabajo y adjunte... • https://access.redhat.com/errata/RHBA-2019:0326 • CWE-352: Cross-Site Request Forgery (CSRF) •