// For flags

CVE-2019-1387

git: Remote code execution in recursive clones with nested submodules

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Se encontró un problema en Git versiones anteriores a v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4 y v2. 14.6. Los clones recursivos están actualmente afectados por una vulnerabilidad causada por una comprobación too-lax de los nombres de submódulos, permitiendo ataques muy específicos por medio de una ejecución de código remota en clones recursivos.

A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine.

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include a code execution vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2018-11-26 CVE Reserved
  • 2019-12-10 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.14.0 < 2.14.6
Search vendor "Git-scm" for product "Git" and version " >= 2.14.0 < 2.14.6"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.15.0 < 2.15.4
Search vendor "Git-scm" for product "Git" and version " >= 2.15.0 < 2.15.4"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.16.0 < 2.16.6
Search vendor "Git-scm" for product "Git" and version " >= 2.16.0 < 2.16.6"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.17.0 < 2.17.3
Search vendor "Git-scm" for product "Git" and version " >= 2.17.0 < 2.17.3"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.18.0 < 2.18.2
Search vendor "Git-scm" for product "Git" and version " >= 2.18.0 < 2.18.2"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.19.0 < 2.19.3
Search vendor "Git-scm" for product "Git" and version " >= 2.19.0 < 2.19.3"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.20.0 < 2.20.2
Search vendor "Git-scm" for product "Git" and version " >= 2.20.0 < 2.20.2"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 >= 2.22.0 < 2.22.2
Search vendor "Git-scm" for product "Git" and version " >= 2.22.0 < 2.22.2"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 2.21.0
Search vendor "Git-scm" for product "Git" and version "2.21.0"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 2.23.0
Search vendor "Git-scm" for product "Git" and version "2.23.0"
-
Affected
Git-scm
Search vendor "Git-scm"
 Git
Search vendor "Git-scm" for product "Git"
 2.24.0
Search vendor "Git-scm" for product "Git" and version "2.24.0"
-
Affected