CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003010
https://notcve.org/view.php?id=CVE-2019-1003010
06 Feb 2019 — A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record. Existe una vulnerabilidad Cross-Site Request Forgery (CSRF) en Jenkins Git Plugin, en versiones 3.9.1 y anteriores, en src/main/java/hudson/plugins/git/GitTagAction.java, que permite que los atacantes creen una etiqueta Git en un espacio de trabajo y adjunte... • https://access.redhat.com/errata/RHBA-2019:0326 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2018-19486 – git: Improper handling of PATH allows for commands to be executed from the current directory
https://notcve.org/view.php?id=CVE-2018-19486
23 Nov 2018 — Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. Git, en versiones anteriores a la 2.19.2 en Linux y UNIX, ejecuta comandos desde el directorio de trabajo actual (como si '.' estuviera al final de $PATH) en determinados casos relacionados con la API run_command() y run-command.c, debido a un cam... • http://www.securityfocus.com/bid/106020 • CWE-426: Untrusted Search Path •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000182
https://notcve.org/view.php?id=CVE-2018-1000182
05 Jun 2018 — A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Existe una vulnerabilidad Server-Side Request Forgery en el plugin Git en versiones 3.9.0 y anteriores de Jenkins en AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryB... • https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2018-11233 – git: path sanity check in is_ntfs_dotgit() can read arbitrary memory
https://notcve.org/view.php?id=CVE-2018-11233
30 May 2018 — In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. En Git, en versiones anteriores a la 2.13.7, versiones 2.14.x anteriores a la 2.14.4, versiones 2.15.x anteriores a la 2.15.2, versiones 2.16.x anteriores a la 2.16.4 y versiones 2.17.x anteriores a la 2.17.1, el código para comprobar el saneamiento de los nombres de ruta en NTFS puede resultar en la lectura de me... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 8.8EPSS: 12%CPEs: 17EXPL: 17CVE-2018-11235 – git: arbitrary code execution when recursively cloning a malicious repository
https://notcve.org/view.php?id=CVE-2018-11235
30 May 2018 — In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the int... • https://packetstorm.news/files/id/148010 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000110
https://notcve.org/view.php?id=CVE-2018-1000110
13 Mar 2018 — An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users. Existe una vulnerabilidad de autorización incorrecta en el plugin Git para Jenkins, en versiones 3.7.0 y anteriores, en GitStatus.java que permite que un atacante con acceso de red obtenga una lista de nodos y usuarios. • https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000021
https://notcve.org/view.php?id=CVE-2018-1000021
09 Feb 2018 — GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). GIT, en versiones 2.15.1 y anteriores, contiene una vulnerabilidad de error de validación de entradas en Client que puede resultar en problemas que incluyen errores de configuración de terminal en RC... • http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 2CVE-2017-15298 – Ubuntu Security Notice USN-3829-1
https://notcve.org/view.php?id=CVE-2017-15298
14 Oct 2017 — Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. Git, en versiones hasta la 2.14.2 gestiona de manera incorrecta capas de objetos tipo árbol, lo que permite que atacantes remotos provoquen una denegación ... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 124EXPL: 0CVE-2017-1000092
https://notcve.org/view.php?id=CVE-2017-1000092
04 Oct 2017 — Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. El plugin Git se conecta a un repositorio de Git especificado por el usuario como parte de la v... • http://www.securityfocus.com/bid/100435 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2017-14867 – Ubuntu Security Notice USN-3438-1
https://notcve.org/view.php?id=CVE-2017-14867
28 Sep 2017 — Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. Git en versiones anteriores a la 2.10.5, las versiones 2.11.x anteriores a 2.11.4, las 2.12.x anteriores a2.12.5, las 2.13.x anteriores a 2.13.6 y las 2.14.x anter... • http://www.openwall.com/lists/oss-security/2017/09/26/9 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •