CVE-2019-1387

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-1387

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-1387.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-1387

Downstream

ALPINE-CVE-2019-1387

DEBIAN-CVE-2019-1387

DLA-2059-1

DLA-3844-1

DLA-3867-1

DSA-4581-1

RHSA-2019:4356

RHSA-2020:0002

RHSA-2020:0124

RHSA-2020:0228

SUSE-SU-2019:3311-1

SUSE-SU-2020:0045-1

SUSE-SU-2020:1121-1

UBUNTU-CVE-2019-1387

USN-4220-1

openSUSE-SU-2020:0123-1

openSUSE-SU-2020:0598-1

openSUSE-SU-2024:10786-1

openSUSE-SU-2024:10943-1

Related

Published

2019-12-18T21:15:13Z

Modified

2025-10-15T10:15:51.579542Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

References

Affected packages

Git / github.com/git/git

Affected ranges

Type: GIT
Repo: https://github.com/git/git
Events: Introduced

4384e3cde2ce8ecd194202e171ae16333d241326

Fixed

66d2a6159f511924e7e0b8a21c93538879bfd622

Affected versions

v2.*

v2.10.4

v2.10.5

v2.11.3

v2.11.4

v2.12.4

v2.12.5

v2.13.5

v2.13.6

v2.13.7

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.7.6

v2.8.6

v2.9.5