Advisory ROSA-SA-2021-1843

Software: git 1.8.3.1
OS: Cobalt 7.9

CVE-ID: CVE-2015-7545
CVE-Crit: CRITICAL
CVE-DESC: (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict allowed protocols, which could allow remote attackers to execute arbitrary code via a URL in (a) the .gitmodules file or (b) unknown other sources in a submodule.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-14867
CVE-Crit: HIGH
CVE-DESC: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses insecure Perl scripts to support subcommands. such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in the module name. The vulnerable code is accessible via git-shell even without CVS support.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-15298
CVE-Crit: MEDIUM
CVE-DESC: Git through 2.14.2 does not properly handle tree object layers, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, also known as a Git bomb. This can also affect disk consumption; however, the affected process usually cannot survive an attempt to build a data structure in memory before writing to disk.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-1000021
CVE-Crit: HIGH
CVE-DESC: GIT version 2.15.1 or earlier contains an “Input Validation Error” vulnerability in the client that could lead to issues including a terminal configuration violation for RCE. This attack appears to be exploitable via: A user must interact with a malicious git server (or have their traffic altered by a MITM attack).
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-1000110
CVE-Crit: MEDIUM
CVE-DESC: A misauthorization vulnerability exists in the Jenkins Git plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of hosts and users.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-1000182
CVE-Crit: MEDIUM
CVE-DESC: A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and earlier in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers to share/read to force Jenkins to send a GET request to a specified URL.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-11233
CVE-Crit: HIGH
CVE-DESC: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to check path name validity in NTFS may cause memory reads outside the valid range.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-1003010
CVE-Crit: MEDIUM
CVE-DESC: A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src / main / java / hudson / plugins / git / GitTagAction.java, allowing attackers to create a Git tag in the workspace and attach the appropriate metadata to write the build.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-19604
CVE-Crit: HIGH
CVE-DESC: arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because the Operation “git submodule update” can run commands found in the .gitmodules file of a malicious repository.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-2136
CVE-Crit: MEDIUM
CVE-DESC: Jenkins Git Plugin 4.2.0 and earlier versions do not display an error message for a repository URL to validate a Microsoft TFS field form, resulting in a stored cross-site scripting vulnerability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-21300
CVE-Crit: HIGH
CVE-DESC: Git is an open source distributed version control system. In vulnerable versions of Git, a specially crafted repository containing symbolic links and files using a cleanup / smear filter such as Git LFS can cause a newly extracted script to execute when cloned into a case-insensitive file system such as NTFS. , HFS +, or APFS (i.e., the default file systems on Windows and macOS). Note that you need to configure cleanup / smudge filters for this. Git for Windows configures Git LFS by default and is therefore vulnerable. The problem was fixed in versions published on Tuesday, March 9, 2021 As a temporary fix, if symbolic links support is disabled in Git (e.g. with git config --global core.symlinks false), the described attack will win. t work. Similarly, if no cleanup / fuzzing filters such as Git LFS are globally configured (i.e. before cloning), the attack will be prevented. As always, it’s best to avoid cloning repositories from untrusted sources. The earliest affected version is 2.14.2. The patch versions are 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19. .6, 2.18.5, 2.17.62.17.6.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-29468
CVE-Crit: HIGH
CVE-DESC: Cygwin Git is a set of fixes for the git command line tool for the cygwin environment. A specially created repository containing symbolic links, and files with backslash characters in the filename, can cause newly extracted code to be executed when extracting from the repository using Git on Cygwin. The issue will be fixed in the Cygwin Git v2.31.1-2 release. As of this writing, the vulnerability is present in the Git source code; any Cygwin user who compiles Git for themselves from source code should manually apply a patch to mitigate the vulnerability. As a remedy, users should not clone or extract data from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.
CVE-STATUS: default
CVE-REV: default