{ "threat_severity" : "Important", "public_date" : "2019-12-10T00:00:00Z", "bugzilla" : { "description" : "git: Remote code execution in recursive clones with nested submodules", "id" : "1781127", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1781127" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.", "A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine." ], "statement" : "This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-01-16T00:00:00Z", "advisory" : "RHSA-2020:0124", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "git-0:1.8.3.1-21.el7_7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-12-19T00:00:00Z", "advisory" : "RHSA-2019:4356", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "git-0:2.18.2-1.el8_1" }, { "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date" : "2020-01-27T00:00:00Z", "advisory" : "RHSA-2020:0228", "cpe" : "cpe:/a:redhat:rhel_e4s:8.0", "package" : "git-0:2.18.2-1.el8_0" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-01-02T00:00:00Z", "advisory" : "RHSA-2020:0002", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-git218-git-0:2.18.2-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2020-01-02T00:00:00Z", "advisory" : "RHSA-2020:0002", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-git218-git-0:2.18.2-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-01-02T00:00:00Z", "advisory" : "RHSA-2020:0002", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-git218-git-0:2.18.2-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-01-02T00:00:00Z", "advisory" : "RHSA-2020:0002", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-git218-git-0:2.18.2-1.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "git", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "camel-git", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "camel-git", "cpe" : "cpe:/a:redhat:jboss_fuse:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1387\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1387\nhttps://github.com/git/git/security/advisories/GHSA-4wfr-gwrh-8mj2" ], "name" : "CVE-2019-1387", "mitigation" : { "value" : "Avoid running `git clone --recurse-submodules` and `git submodule update` with untrusted repositories.", "lang" : "en:us" }, "csaw" : false }