ASA-2019-00668 – Git: Remote Code Execution (RCE) in recursive clones

Allele Security Alert



ASA-2019-00668, CVE-2019-1387


Remote Code Execution (RCE) in recursive clones


the Git project



Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

Disallow dubiously-nested submodule git directories

Proof of concept



Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Technical details



Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)


[ANNOUNCE] Git v2.24.1 and others

Disallow dubiously-nested submodule git directories

Disallow dubiously-nested submodule git directories

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes

CVE-2019-1387 | Git for Visual Studio Remote Code Execution Vulnerability

Git v2.24.1 Release Notes

Git v2.23.1 Release Notes

Git v2.22.2 Release Notes

Git v2.21.1 Release Notes

Git v2.20.2 Release Notes

Git v2.19.3 Release Notes

Git v2.18.2 Release Notes

Git v2.17.3 Release Notes

Git v2.16.6 Release Notes

Git v2.15.4 Release Notes

Git v2.14.6 Release Notes


CVE-2019-1387 - Red Hat Customer Portal


CVE-2019-1387 in Ubuntu



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.