CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-40330 – Ubuntu Security Notice USN-5076-1
https://notcve.org/view.php?id=CVE-2021-40330
31 Aug 2021 — git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. La función git_connect_git en el archivo connect.c en Git versiones anteriores a 2.30.1, permite que la ruta de un repositorio contenga un carácter de nueva línea, que puede resultar en peticiones inesperadas entre protocolos, como es demostrado en la subcadena g... • https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30483 – isomorphic-git: Directory traversal via a crafted repository
https://notcve.org/view.php?id=CVE-2021-30483
27 Jul 2021 — isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository. isomorphic-git versiones anteriores a 1.8.2, permite un Salto de Directorio por medio de un repositorio diseñado A flaw was found in isomorphic-git. An attacker could cause a Directory Traversal via a crafted filepath in a repository being cloned. The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Mana... • https://github.com/isomorphic-git/isomorphic-git/pull/1339 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-32673 – Remote Command Execution in reg-keygen-git-hash-plugin
https://notcve.org/view.php?id=CVE-2021-32673
08 Jun 2021 — reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue. reg-keygen-git-hash-plugin es un plugin de reg-suit para detectar la clave instantánea para ser comparada con el uso de Git commit hash. reg-keygen-git-hash-plugin versiones hasta 0.10.15 e incluyéndola, permiten a atacant... • https://github.com/reg-viz/reg-suit/commit/f84ad9c7a22144d6c147dc175c52756c0f444d87 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28955
https://notcve.org/view.php?id=CVE-2021-28955
22 Mar 2021 — git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows). git-bug versiones anteriores a 0.7.2, presenta un Elemento de Ruta de Búsqueda No Controlada. Ejecutará git.bat desde el directorio actual en determinadas situaciones de PATH (visto con mayor frecuencia en Windows) • https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.0EPSS: 75%CPEs: 21EXPL: 15CVE-2021-21300 – malicious repositories can execute remote code while cloning
https://notcve.org/view.php?id=CVE-2021-21300
09 Mar 2021 — Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is theref... • https://packetstorm.news/files/id/163978 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 0CVE-2020-28490 – Command Injection
https://notcve.org/view.php?id=CVE-2020-28490
18 Feb 2021 — The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb') El paquete async-git versiones anteriores a 1.13.2, es vulnerable a una inyección de comandos por medio de metacaracteres de shell (retrocesos). Por ejemplo: git.reset('atouch HACKEDb') • https://github.com/omrilotan/async-git/commit/d1950a5021f4e19d92f347614be0d85ce991510d • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2021-3190
https://notcve.org/view.php?id=CVE-2021-3190
21 Jan 2021 — The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. El paquete async-git versiones anteriores a 1.13.2 para Node.js, permite una Inyección de Comandos del Sistema Operativo por medio de metacaracteres de shell, como es demostrado por git.reset y git.tag • https://advisory.checkmarx.net/advisory/CX-2021-4772 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21237 – Git LFS can execute a Git binary from the current directory on Windows
https://notcve.org/view.php?id=CVE-2021-21237
15 Jan 2021 — Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory se... • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955 • CWE-426: Untrusted Search Path •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-3028
https://notcve.org/view.php?id=CVE-2021-3028
13 Jan 2021 — git-big-picture before 1.0.0 mishandles ' characters in a branch name, leading to code execution. git-big-picture versiones anteriores a 1.0.0, maneja inapropiadamente los caracteres en un nombre de rama, conllevando a una ejecución de código. • https://github.com/git-big-picture/git-big-picture/pull/27 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 92%CPEs: 1EXPL: 24CVE-2020-27955 – Git Remote Code Execution via git-lfs (CVE-2020-27955)
https://notcve.org/view.php?id=CVE-2020-27955
05 Nov 2020 — Git LFS 2.12.0 allows Remote Code Execution. Git LFS versión 2.12.0, permite una ejecución de código remota • https://packetstorm.news/files/id/164180 • CWE-427: Uncontrolled Search Path Element •