CVE-2019-13638

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-13638

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13638.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-13638

Downstream

ALPINE-CVE-2019-13638

DEBIAN-CVE-2019-13638

DLA-1864-1

DSA-4489-1

RHSA-2019:2798

RHSA-2019:2964

RHSA-2019:3757

RHSA-2019:3758

RHSA-2019:4061

UBUNTU-CVE-2019-13638

USN-4071-1

USN-4071-2

Related

Published

2019-07-26T13:15:12.783Z

Modified

2025-11-29T22:33:23.021583Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

References

Affected packages

Git / cgit.git.savannah.gnu.org/cgit/patch.git

Affected ranges

Type: GIT
Repo: https://cgit.git.savannah.gnu.org/cgit/patch.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3fcd042d26d70856e826a42b5f93dc4854d80bf0

Git / git.savannah.gnu.org/git/patch.git

Affected ranges

Type: GIT
Repo: https://git.savannah.gnu.org/git/patch.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected