ASA-2019-00664 – Git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning

Allele Security Alert



ASA-2019-00664, CVE-2019-1351


Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning


the Git project



Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

mingw: handle subst-ed “DOS drives”

Proof of concept



While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst <letter>:<path>. Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning.

Technical details



Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)


[ANNOUNCE] Git v2.24.1 and others

mingw: handle subst-ed “DOS drives”

mingw: handle subst-ed “DOS drives”

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes

CVE-2019-1351 | Git for Visual Studio Tampering Vulnerability

Git v2.24.1 Release Notes

Git v2.23.1 Release Notes

Git v2.22.2 Release Notes

Git v2.21.1 Release Notes

Git v2.20.2 Release Notes

Git v2.19.3 Release Notes

Git v2.18.2 Release Notes

Git v2.17.3 Release Notes

Git v2.16.6 Release Notes

Git v2.15.4 Release Notes

Git v2.14.6 Release Notes


CVE-2019-1351 - Red Hat Customer Portal


CVE-2019-1351 in Ubuntu



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.