CVE-2019-1387

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-1387
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1387.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-1387
Downstream
Related
Published
2019-12-18T21:15:13.820Z
Modified
2026-03-15T22:29:42.787982Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

References

Affected packages

Git / github.com/git/git

Affected ranges

Type
GIT
Repo
https://github.com/git/git
Events
Introduced
4384e3cde2ce8ecd194202e171ae16333d241326
Fixed
66d2a6159f511924e7e0b8a21c93538879bfd622
Introduced
cb5918aa0d50f50e83787f65c2ddc3dcb10159fe
Fixed
7cdafcaacf677b9e0700fa988c247bda192db48d
Introduced
2512f15446149235156528dafbe75930c712b29e
Fixed
eb288bc455ac67e3ceeff90daf6f25972bb586d0
Introduced
468165c1d8a442994a825f3684528361727cd8c0
Fixed
a5ab8d03173458b76b8452efd90a7173f490c132
Introduced
53f9a3e157dbbc901a02ac2c73346d375e24978c
Fixed
9877106b01cbd346b862cc8cd2c52e496dd40ed5
Introduced
1d4361b0f344188ab5eec6dcea01f61a3a3a1670
Fixed
caccc527ca7f4b3e6f4bb6775cbff94b27741482
Introduced
5d826e972970a784bd7a7bdf587512510097b8c7
Fixed
4cd1cf31efed9b16db5035c377bfa222f5272458
Introduced
b697d92f56511e804b8ba20ccbe7bdc85dc66810
Fixed
d9589d4051537c387b70dc76e430c61b4c85a86d
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8104ec994ea3849a968b4667d072fedd1e688642
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5fa0f5238b0cd46cfe7f6fa76c3f526ea98148d9
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
da72936f544fec5a335e66432610e4cef4430991
Database specific 
{
    "versions": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.6"
        },
        {
            "introduced": "2.15.0"
        },
        {
            "fixed": "2.15.4"
        },
        {
            "introduced": "2.16.0"
        },
        {
            "fixed": "2.16.6"
        },
        {
            "introduced": "2.17.0"
        },
        {
            "fixed": "2.17.3"
        },
        {
            "introduced": "2.18.0"
        },
        {
            "fixed": "2.18.2"
        },
        {
            "introduced": "2.19.0"
        },
        {
            "fixed": "2.19.3"
        },
        {
            "introduced": "2.20.0"
        },
        {
            "fixed": "2.20.2"
        },
        {
            "introduced": "2.22.0"
        },
        {
            "fixed": "2.22.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.21.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.23.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.24.0"
        }
    ]
}

Affected versions

v2.*
v2.10.4
v2.10.5
v2.11.3
v2.11.4
v2.12.4
v2.12.5
v2.13.5
v2.13.6
v2.13.7
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.7.6
v2.8.6
v2.9.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1387.json"