U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:git-scm:git:1.5.6.5:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 28 matching records.
Displaying matches 21 through 28.
Vuln ID Summary CVSS Severity
CVE-2017-15298

Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.

Published: October 14, 2017; 6:29:00 PM -0400 		V3.0: 5.5 MEDIUM
 V2.0: 4.3 MEDIUM
CVE-2017-1000117

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

Published: October 04, 2017; 9:29:04 PM -0400 		V3.0: 8.8 HIGH
 V2.0: 6.8 MEDIUM
CVE-2017-14867

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Published: September 28, 2017; 9:34:50 PM -0400 		V3.0: 8.8 HIGH
 V2.0: 9.0 HIGH
CVE-2014-9938

contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

Published: March 19, 2017; 8:59:00 PM -0400 		V3.1: 8.8 HIGH
 V2.0: 6.8 MEDIUM
CVE-2016-2324

Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.

Published: April 08, 2016; 10:59:02 AM -0400 		V3.1: 9.8 CRITICAL
 V2.0: 10.0 HIGH
CVE-2013-0308

The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: March 08, 2013; 4:55:03 PM -0500 		V3.x:(not available)
 V2.0: 4.3 MEDIUM
CVE-2010-3906

Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.

Published: December 17, 2010; 2:00:20 PM -0500 		V3.x:(not available)
 V2.0: 4.3 MEDIUM
CVE-2010-2542

Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.

Published: August 11, 2010; 2:47:50 PM -0400 		V3.x:(not available)
 V2.0: 7.5 HIGH