Allele Security Alert
ASA-2019-00668
Identifier(s)
ASA-2019-00668, CVE-2019-1387
Title
Remote Code Execution (RCE) in recursive clones
Vendor(s)
the Git project
Product(s)
Git
Affected version(s)
Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6
Fixed version(s)
Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6
Git versions with the following commit:
Disallow dubiously-nested submodule git directories
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
Proof of concept
Unknown
Description
Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Technical details
Unknown
Credits
Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)
Reference(s)
[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905
Disallow dubiously-nested submodule git directories
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
Disallow dubiously-nested submodule git directories
https://github.com/git/git/commit/a8dee3ca610f5a1d403634492136c887f83b59d2
Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice
CVE-2019-1387 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1387
Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt
Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt
Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt
Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt
Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt
Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt
Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt
Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt
Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt
Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt
Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt
CVE-2019-1387
https://security.archlinux.org/CVE-2019-1387
CVE-2019-1387 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1387
CVE-2019-1387
https://security-tracker.debian.org/tracker/CVE-2019-1387
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1387.html
CVE-2019-1387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387
CVE-2019-1387
https://nvd.nist.gov/vuln/detail/CVE-2019-1387
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 12, 2019