CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 18CVE-2025-48384 – Git allows arbitrary code execution through broken config quoting
https://notcve.org/view.php?id=CVE-2025-48384
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodu... • https://github.com/acheong08/CVE-2025-48384 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-436: Interpretation Conflict •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-48385 – Git alllows arbitrary file writes via bundle-uri parameter injection
https://notcve.org/view.php?id=CVE-2025-48385
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the... • https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655 • CWE-73: External Control of File Name or Path CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-48386 – Git allows a buffer overflow in 'wincred' credential helper
https://notcve.org/view.php?id=CVE-2025-48386
08 Jul 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v... • https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-52005 – The sideband payload is passed unfiltered to the terminal in git
https://notcve.org/view.php?id=CVE-2024-52005
15 Jan 2025 — Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that c... • https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329 • CWE-116: Improper Encoding or Escaping of Output CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 3.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-50349 – Git does not sanitize URLs when asking for credentials interactively
https://notcve.org/view.php?id=CVE-2024-50349
14 Jan 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escap... • https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8 • CWE-116: Improper Encoding or Escaping of Output CWE-147: Improper Neutralization of Input Terminators CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2024-52006 – Newline confusion in credential helpers can lead to credential exfiltration in git
https://notcve.org/view.php?id=CVE-2024-52006
14 Jan 2025 — Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. T... • https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g • CWE-116: Improper Encoding or Escaping of Output CWE-147: Improper Neutralization of Input Terminators CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2022-38663
https://notcve.org/view.php?id=CVE-2022-38663
23 Aug 2022 — Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. Jenkins Git Plugin versiones 4.11.4 y anteriores, no enmascara apropiadamente (es decir, reemplaza con asteriscos) las credenciales en el registro de construcción proporcionado por el enlace de credenciales Git Username and Password ("gitUsernamePassword"). • http://www.openwall.com/lists/oss-security/2022/08/23/2 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36884 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36884
27 Jul 2022 — The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados información sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application p... • http://www.openwall.com/lists/oss-security/2022/07/27/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 76%CPEs: 1EXPL: 0CVE-2022-36883 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36883
27 Jul 2022 — A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una falta de comprobación de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobación de... • http://www.openwall.com/lists/oss-security/2022/07/27/1 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36882 – jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git
https://notcve.org/view.php?id=CVE-2022-36882
27 Jul 2022 — A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causar que comp... • http://www.openwall.com/lists/oss-security/2022/07/27/1 • CWE-352: Cross-Site Request Forgery (CSRF) •