Vulnerabilities > GIT SCM

DATE CVE VULNERABILITY TITLE RISK
2019-12-11 CVE-2019-19604 Missing Authorization vulnerability in multiple products
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
7.8
2018-11-23 CVE-2018-19486 Untrusted Search Path vulnerability in multiple products
Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
network
low complexity
git-scm canonical CWE-426
critical
9.8
2018-10-06 CVE-2018-17456 Argument Injection or Modification vulnerability in multiple products
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
network
low complexity
git-scm redhat canonical debian CWE-88
critical
9.8
2018-05-30 CVE-2018-11235 Path Traversal vulnerability in multiple products
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.
7.8
2018-05-30 CVE-2018-11233 Out-of-bounds Read vulnerability in multiple products
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
network
low complexity
canonical git-scm CWE-125
7.5
2018-02-09 CVE-2018-1000021 Improper Input Validation vulnerability in Git-Scm GIT
GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE.
network
high complexity
git-scm CWE-20
5.0
2017-10-14 CVE-2017-15298 Resource Exhaustion vulnerability in multiple products
Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb.
local
low complexity
git-scm canonical CWE-400
5.5
2017-10-05 CVE-2017-1000117 Open Redirect vulnerability in Git-Scm GIT
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed.
network
low complexity
git-scm CWE-601
8.8
2017-09-29 CVE-2017-14867 OS Command Injection vulnerability in multiple products
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name.
network
low complexity
git-scm debian CWE-78
8.8
2017-03-20 CVE-2014-9938 Improper Encoding or Escaping of Output vulnerability in Git-Scm GIT
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
network
low complexity
git-scm CWE-116
8.8