// For flags

CVE-2014-9390

Malicious Git And Mercurial HTTP Server For CVE-2014-9390

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Git versiones anteriores a 1.8.5.6, versiones 1.9.x anteriores a 1.9.5, versiones 2.0.x anteriores a 2.0.5, versiones 2.1.x anteriores a 2.1.4 y versiones 2.2.x anteriores a 2.2.1 en Windows y OS X; Mercurial versiones anteriores a 3.2.3 en Windows y OS X; Apple Xcode versiones anteriores a 6.2 beta 3; mine todas las versiones antes del 08-12-2014; libgit2 todas las versiones hasta 0.21. 2; Egit todas las versiones anteriores al 08-12-2014; y JGit todas las versiones anteriores al 08-12-2014 permiten a los servidores Git remotos ejecutar comandos arbitrarios por medio de un árbol que contiene un archivo .git/config diseñado con (1) un punto de código Unicode ignorable, (2) una representación git~1/config, o (3) mayúsculas y minúsculas que no son manejadas apropiadamente en un sistema de archivos insensible a mayúsculas y minúsculas

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-12-17 CVE Reserved
  • 2014-12-20 CVE Published
  • 2024-06-25 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
< 1.8.5.6
Search vendor "Git-scm" for product "Git" and version " < 1.8.5.6"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
< 1.8.5.6
Search vendor "Git-scm" for product "Git" and version " < 1.8.5.6"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 1.9.0 < 1.9.5
Search vendor "Git-scm" for product "Git" and version " >= 1.9.0 < 1.9.5"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 1.9.0 < 1.9.5
Search vendor "Git-scm" for product "Git" and version " >= 1.9.0 < 1.9.5"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.0.0 < 2.0.5
Search vendor "Git-scm" for product "Git" and version " >= 2.0.0 < 2.0.5"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.0.0 < 2.0.5
Search vendor "Git-scm" for product "Git" and version " >= 2.0.0 < 2.0.5"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.1.0 < 2.1.4
Search vendor "Git-scm" for product "Git" and version " >= 2.1.0 < 2.1.4"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.1.0 < 2.1.4
Search vendor "Git-scm" for product "Git" and version " >= 2.1.0 < 2.1.4"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.2.0 < 2.2.1
Search vendor "Git-scm" for product "Git" and version " >= 2.2.0 < 2.2.1"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.2.0 < 2.2.1
Search vendor "Git-scm" for product "Git" and version " >= 2.2.0 < 2.2.1"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Mercurial
Search vendor "Mercurial"
Mercurial
Search vendor "Mercurial" for product "Mercurial"
< 3.2.3
Search vendor "Mercurial" for product "Mercurial" and version " < 3.2.3"
-
Affected
in Apple
Search vendor "Apple"
Mac Os X
Search vendor "Apple" for product "Mac Os X"
--
Safe
Mercurial
Search vendor "Mercurial"
Mercurial
Search vendor "Mercurial" for product "Mercurial"
< 3.2.3
Search vendor "Mercurial" for product "Mercurial" and version " < 3.2.3"
-
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Apple
Search vendor "Apple"
Xcode
Search vendor "Apple" for product "Xcode"
<= 6.1.1
Search vendor "Apple" for product "Xcode" and version " <= 6.1.1"
-
Affected
Apple
Search vendor "Apple"
Xcode
Search vendor "Apple" for product "Xcode"
6.2
Search vendor "Apple" for product "Xcode" and version "6.2"
-
Affected
Apple
Search vendor "Apple"
Xcode
Search vendor "Apple" for product "Xcode"
6.2
Search vendor "Apple" for product "Xcode" and version "6.2"
beta_2
Affected
Eclipse
Search vendor "Eclipse"
Egit
Search vendor "Eclipse" for product "Egit"
< 08-12-2014
Search vendor "Eclipse" for product "Egit" and version " < 08-12-2014"
-
Affected
Eclipse
Search vendor "Eclipse"
Jgit
Search vendor "Eclipse" for product "Jgit"
< 3.4.2
Search vendor "Eclipse" for product "Jgit" and version " < 3.4.2"
-
Affected
Eclipse
Search vendor "Eclipse"
Jgit
Search vendor "Eclipse" for product "Jgit"
>= 3.5.0 < 3.5.3
Search vendor "Eclipse" for product "Jgit" and version " >= 3.5.0 < 3.5.3"
-
Affected
Libgit2
Search vendor "Libgit2"
Libgit2
Search vendor "Libgit2" for product "Libgit2"
< 0.21.3
Search vendor "Libgit2" for product "Libgit2" and version " < 0.21.3"
-
Affected