{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-08T13:01:00Z",
  "bugzilla" : {
    "description" : "gitk: git script execution flaw",
    "id" : "2379125",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2379125"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "details" : [ "Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.", "There's a vulnerability in gitk where an user can be tricked to run malicious scripts supplied by the attacker when running gitk filename command. When successfully exploited this vulnerability may result in arbitrary code execution." ],
  "statement" : "The Red Hat Product Security team has rated this vulnerability as having a Moderate impact as it depends on the user to be tricked to run the command using the malicious file as parameter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-07-22T00:00:00Z",
    "advisory" : "RHSA-2025:11533",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "git-0:2.47.3-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-23T00:00:00Z",
    "advisory" : "RHSA-2025:11534",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "git-0:2.43.7-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-21T00:00:00Z",
    "advisory" : "RHSA-2025:11462",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "git-0:2.47.3-1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "git",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "git",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-27614\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27614\nhttps://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/\nhttps://www.openwall.com/lists/oss-security/2025/07/08/4" ],
  "name" : "CVE-2025-27614",
  "mitigation" : {
    "value" : "There's no known mitigation for this issue besides avoid using gitk with untrusted repositories or unstrusted files.",
    "lang" : "en:us"
  },
  "csaw" : false
}