{"viewCount": 0, "id": "GLSA-200907-05", "hash": "453f1dbcdbdc5a3cbae687b8fe97120c23e579f6a75b477510ef70da45695b0d", "lastseen": "2016-09-06T19:46:28", "href": "https://security.gentoo.org/glsa/200907-05", "history": [], "edition": 1, "description": "### Background\n\ngit - the stupid content tracker, the revision control system used by the Linux kernel team. \n\n### Description\n\nShawn O. Pearce reported that git-daemon runs into an infinite loop when handling requests that contain unrecognized arguments. \n\n### Impact\n\nA remote unauthenticated attacker could send a specially crafted request to git-daemon, possibly leading to a Denial of Service (CPU consumption). \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll git users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-util/git-1.6.3.3\"", "cvelist": ["CVE-2009-2108"], "references": ["https://bugs.gentoo.org/show_bug.cgi?id=273905", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2108"], "modified": "2009-07-12T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "bulletinFamily": "unix", "title": "git: git-daemon Denial of Service", "objectVersion": "1.2", "reporter": "Gentoo Foundation", "type": "gentoo", "published": "2009-07-12T00:00:00", "affectedPackage": [{"operator": "lt", "packageName": "dev-util/git", "OSVersion": "any", "OS": "Gentoo", "packageVersion": "1.6.3.3", "arch": "all", "packageFilename": "UNKNOWN"}], "hashmap": [{"key": "affectedPackage", "hash": "768f5146f0a8a0d293879d16f251939b"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "3c3c14786ade71e896367338686f1535"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "7d51e872256d6e986669c336e9aa55c6"}, {"key": "href", "hash": "22e8cbcc9751176a217ab3d36f54e168"}, {"key": "modified", "hash": "aaa75facd1658e3eb8fea6773bbbb617"}, {"key": "objectVersion", "hash": "777d45bbbcdf50d49c42c70ad7acf5fe"}, {"key": "published", "hash": "aaa75facd1658e3eb8fea6773bbbb617"}, {"key": "references", "hash": "5255837ee40f5ca8f5e486fc69972129"}, {"key": "reporter", "hash": "ac1fd6b3deacaf22b54dd1934ae33181"}, {"key": "title", "hash": "56a2be255e6cdc50ddd164e6b90a8f8a"}, {"key": "type", "hash": "365d0fc7d6206ff26e2f2c2a78c91a94"}], "enchantments": {"vulnersScore": 8.5}}

{"result": {"cve": [{"id": "CVE-2009-2108", "type": "cve", "title": "CVE-2009-2108", "description": "git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments.", "published": "2009-06-18T14:30:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2108", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-08-17T11:14:22"}], "nessus": [{"id": "DEBIAN_DSA-1841.NASL", "type": "nessus", "title": "Debian DSA-1841-1 : git-core - denial of service", "description": "It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions.", "published": "2010-02-24T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44706", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:26:38"}, {"id": "FREEBSD_PKG_D9B01C0859B311DE828E00E0815B8DA8.NASL", "type": "nessus", "title": "FreeBSD : git -- denial of service vulnerability (d9b01c08-59b3-11de-828e-00e0815b8da8)", "description": "SecurityFocus reports :\n\nGit is prone to a denial-of-service vulnerability because it fails to properly handle some client requests.\n\nAttackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial of service condition.", "published": "2009-06-16T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39408", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:26:20"}, {"id": "GENTOO_GLSA-200907-05.NASL", "type": "nessus", "title": "GLSA-200907-05 : git: git-daemon Denial of Service", "description": "The remote host is affected by the vulnerability described in GLSA-200907-05 (git: git-daemon Denial of Service)\n\n Shawn O. Pearce reported that git-daemon runs into an infinite loop when handling requests that contain unrecognized arguments.\n Impact :\n\n A remote unauthenticated attacker could send a specially crafted request to git-daemon, possibly leading to a Denial of Service (CPU consumption).\n Workaround :\n\n There is no known workaround at this time.", "published": "2009-07-13T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39776", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:26:03"}, {"id": "FEDORA_2009-6936.NASL", "type": "nessus", "title": "Fedora 11 : git-1.6.2.5-1.fc11 (2009-6936)", "description": "This update fixes a Denial of Service vulnerability in git-daemon.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-06-25T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39513", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:24:39"}, {"id": "FEDORA_2009-6839.NASL", "type": "nessus", "title": "Fedora 10 : git-1.6.0.6-4.fc10 (2009-6839)", "description": "This update fixes a Denial of Service vulnerability in git-daemon. It also fixes minor issues when using git-cvsimport and the formatting of the git-daemon xinetd service description.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-06-25T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39509", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:23:18"}, {"id": "FEDORA_2009-6809.NASL", "type": "nessus", "title": "Fedora 9 : git-1.6.0.6-4.fc9 (2009-6809)", "description": "This update fixes a Denial of Service vulnerability in git-daemon. It also fixes minor issues when using git-cvsimport and the formatting of the git-daemon xinetd service description.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-06-25T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39507", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:24:37"}, {"id": "MANDRIVA_MDVSA-2009-155.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : git (MDVSA-2009:155)", "description": "A vulnerability has been found and corrected in git :\n\ngit-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments (CVE-2009-2108).\n\nThis update provides fixes for this vulnerability.", "published": "2010-07-30T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=48150", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:25:06"}], "openvas": [{"id": "OPENVAS:64427", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200907-05 (git)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200907-05.", "published": "2009-07-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64427", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-24T12:57:02"}, {"id": "OPENVAS:64519", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:176 (git)", "description": "The remote host is missing an update to git\nannounced via advisory MDVSA-2009:176.", "published": "2009-08-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64519", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-24T12:57:06"}, {"id": "OPENVAS:64457", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:155 (git)", "description": "The remote host is missing an update to git\nannounced via advisory MDVSA-2009:155.", "published": "2009-07-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64457", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-24T12:57:07"}, {"id": "OPENVAS:64480", "type": "openvas", "title": "Debian Security Advisory DSA 1841-1 (git-core)", "description": "The remote host is missing an update to git-core\nannounced via advisory DSA 1841-1.", "published": "2009-07-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64480", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-24T12:56:10"}, {"id": "OPENVAS:64288", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-6809 (git)", "description": "The remote host is missing an update to git\nannounced via advisory FEDORA-2009-6809.", "published": "2009-06-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64288", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-25T10:56:43"}, {"id": "OPENVAS:64202", "type": "openvas", "title": "FreeBSD Ports: git", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2009-06-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64202", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-02T21:14:11"}, {"id": "OPENVAS:64292", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-6839 (git)", "description": "The remote host is missing an update to git\nannounced via advisory FEDORA-2009-6839.", "published": "2009-06-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64292", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-25T10:56:16"}, {"id": "OPENVAS:64290", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-6936 (git)", "description": "The remote host is missing an update to git\nannounced via advisory FEDORA-2009-6936.", "published": "2009-06-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64290", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-25T10:57:13"}, {"id": "OPENVAS:66803", "type": "openvas", "title": "Debian Security Advisory DSA 1841-2 (git-core)", "description": "The remote host is missing an update to git-core\nannounced via advisory DSA 1841-2.", "published": "2010-02-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66803", "cvelist": ["CVE-2009-2108"], "lastseen": "2017-07-24T12:49:09"}], "freebsd": [{"id": "D9B01C08-59B3-11DE-828E-00E0815B8DA8", "type": "freebsd", "title": "git -- denial of service vulnerability", "description": "\nSecurityFocus reports:\n\nGit is prone to a denial-of-service vulnerability because it\n\t fails to properly handle some client requests.\nAttackers can exploit this issue to cause a daemon process to\n\t enter an infinite loop. Repeated exploits may consume excessive\n\t system resources, resulting in a denial of service condition.\n\n", "published": "2009-06-04T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/d9b01c08-59b3-11de-828e-00e0815b8da8.html", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-26T17:24:52"}], "debian": [{"id": "DSA-1841", "type": "debian", "title": "git-core -- denial of service", "description": "It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While this is no problem for the daemon itself as every request will spawn a new git-daemon instance, this still results in a very high CPU consumption and might lead to denial of service conditions.\n\nFor the oldstable distribution (etch), this problem has been fixed in version 1.4.4.4-4+etch3.\n\nFor the stable distribution (lenny), this problem has been fixed in version 1.5.6.5-3+lenny2.\n\nFor the testing distribution (squeeze), this problem has been fixed in version 1:1.6.3.3-1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1:1.6.3.3-1.\n\nWe recommend that you upgrade your git-core packages.", "published": "2009-07-25T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-1841", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-09-02T18:24:06"}], "exploitdb": [{"id": "EDB-ID:33036", "type": "exploitdb", "title": "Git <= 1.6.3 Parameter Processing Remote Denial Of Service Vulnerability", "description": "Git 1.6.3 Parameter Processing Remote Denial Of Service Vulnerability. CVE-2009-2108. Dos exploit for linux platform", "published": "2009-05-05T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/33036/", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-02-03T18:20:33"}], "seebug": [{"id": "SSV-86291", "type": "seebug", "title": "Git <= 1.6.3 Parameter Processing Remote Denial Of Service Vulnerability", "description": "Summary: \ngit 1.4.4. 5 version to 1. 6. 3 version of git-daemon, a remote attacker can use an included extra that the argument of the request, causing a denial of service(infinite loop and CPU loss).\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-86291", "cvelist": ["CVE-2009-2108"], "lastseen": "2016-07-26T19:43:27"}]}}