Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:git-scm:git:
There are 10 matching records.
Displaying matches 1 through 10.
Vuln ID Summary CVSS Severity

Git before, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Published: February 11, 2020; 9:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.

Published: November 23, 2018; 3:29:00 AM -0500
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Published: May 30, 2018; 12:29:00 AM -0400
V3.0: 7.8 HIGH
V2.0: 6.8 MEDIUM

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.

Published: May 30, 2018; 12:29:00 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Published: February 09, 2018; 6:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM

Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.

Published: October 14, 2017; 6:29:00 PM -0400
V3.0: 5.5 MEDIUM
V2.0: 4.3 MEDIUM

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Published: October 04, 2017; 9:29:04 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM

contrib/completion/ in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

Published: March 19, 2017; 8:59:00 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM

Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.

Published: April 08, 2016; 10:59:02 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH

Stack-based buffer overflow in the is_git_directory function in setup.c in Git before allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.

Published: August 11, 2010; 2:47:50 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH