CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2016-10130
https://notcve.org/view.php?id=CVE-2016-10130
The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable. La función http_connect en transports/http.c en libgit2 en versiones anteriores a 0.24.6 y 0.25.x en versiones anteriores a 0.25.1 podría permitir a atacantes man-in-the-middle suplantar servidores a provechando el clobbering de la variable de error. • http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html http://www.openwall.com/lists/oss-security/2017/01/10/5 http://www.openwall.com/lists/oss-security/2017/01/11/6 http://www.securityfocus.com/bid/95359 https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22 https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2016-10129
https://notcve.org/view.php?id=CVE-2016-10129
The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line. El soporte Git Smart Protocol en libgit2 en versiones anteriores a 0.24.6 y 0.25.x en versiones anteriores a 0.25.1 permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL) a través de una linea de paquete vacía. • http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html http://www.openwall.com/lists/oss-security/2017/01/10/5 http://www.openwall.com/lists/oss-security/2017/01/11/6 http://www.securityfocus.com/bid/95339 https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2016-8568
https://notcve.org/view.php?id=CVE-2016-8568
The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file. La función git_commit_message en oid.c en libgit2 en versiones anteriores a 0.24.3 permite a atacantes remotos provocar una denegación de servicio (lectura fuera de límites) a través de un comando cat-file con un archivo de objeto manipulado. • http://lists.opensuse.org/opensuse-updates/2016-12/msg00075.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00103.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00110.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00114.html http://www.openwall.com/lists/oss-security/2016/10/08/7 http://www.securityfocus.com/bid/93466 https://bugzilla.redhat.com/show_bug.cgi?id=1383211 https://github.com/libgit2/libgit2/issues/3936 https://github.com/libgit2 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2016-8569
https://notcve.org/view.php?id=CVE-2016-8569
The git_oid_nfmt function in commit.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a cat-file command with a crafted object file. La función git_oid_nfmt en commit.c en libgit2 en versiones anteriores a 0.24.3 permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL) a través de un comando cat-file con un archivo de objeto manipulado. • http://lists.opensuse.org/opensuse-updates/2016-12/msg00075.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00103.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00110.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00114.html http://www.openwall.com/lists/oss-security/2016/10/08/7 http://www.securityfocus.com/bid/93465 https://bugzilla.redhat.com/show_bug.cgi?id=1383211 https://github.com/libgit2/libgit2/issues/3937 https://github.com/libgit2 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 94%CPEs: 17EXPL: 0CVE-2014-9390 – Malicious Git And Mercurial HTTP Server For CVE-2014-9390
https://notcve.org/view.php?id=CVE-2014-9390
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Git versiones anteriores a 1.8.5.6, versiones 1.9.x anteriores a 1.9.5, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.4 y versiones 2.2.x anteriores a 2.2.1 en Windows y OS X; Mercurial versiones anteriores a 3.2.3 en Windows y OS X; Apple Xcode versiones anteriores a 6.2 beta 3; mine todas las versiones antes del 08-12-2014; libgit2 todas las versiones hasta 0.21. 2; Egit todas las versiones anteriores al 08-12-2014; y JGit todas las versiones anteriores al 08-12-2014 permiten a los servidores Git remotos ejecutar comandos arbitrarios por medio de un árbol que contiene un archivo .git/config diseñado con (1) un punto de código Unicode ignorable, (2) una representación git~1/config, o (3) mayúsculas y minúsculas que no son manejadas apropiadamente en un sistema de archivos insensible a mayúsculas y minúsculas • http://article.gmane.org/gmane.linux.kernel/1853266 http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html http://mercurial.selenic.com/wiki/WhatsNew http://securitytracker.com/id?1031404 http://support.apple.com/kb/HT204147 https://github.com/blog/1938-git-client-vulnerability-announced https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915 https://libgit2.org/security https://news.ycombinator.com/item?id=8769667 https://www.rapid7.com/blo • CWE-20: Improper Input Validation •