CVE-2019-19604
 
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Una ejecuciĆ³n de comandos arbitrarios es posible en Git versiones anteriores a 2.20.2, versiones 2.21.x anteriores a 2.21.1, versiones 2.22.x anteriores a 2.22.2, versiones 2.23.x anteriores a 2.23.1 y versiones 2.24.x anteriores a 2.24.1, porque una operaciĆ³n "git submodule update" puede ejecutar comandos encontrados en el archivo .gitmodules de un repositorio malicioso.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-12-05 CVE Reserved
- 2019-12-10 CVE Published
- 2023-11-16 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-862: Missing Authorization
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2019/12/13/1 | Mailing List | |
https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com | X_refsource_confirm | |
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.txt | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md | 2024-08-05 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | < 2.20.0 Search vendor "Git-scm" for product "Git" and version " < 2.20.0" | - |
Affected
| ||||||
Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.21.0 < 2.21.1 Search vendor "Git-scm" for product "Git" and version " >= 2.21.0 < 2.21.1" | - |
Affected
| ||||||
Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.22.0 < 2.22.2 Search vendor "Git-scm" for product "Git" and version " >= 2.22.0 < 2.22.2" | - |
Affected
| ||||||
Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.23.0 < 2.23.1 Search vendor "Git-scm" for product "Git" and version " >= 2.23.0 < 2.23.1" | - |
Affected
| ||||||
Git-scm Search vendor "Git-scm" | Git Search vendor "Git-scm" for product "Git" | >= 2.24.0 < 2.24.1 Search vendor "Git-scm" for product "Git" and version " >= 2.24.0 < 2.24.1" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
|