CVE-2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or...

CVE-2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or...

GitPython: Code Execution via Crafted Input

Background GitPython is a Python library used to interact with Git repositories. Description Please review the CVE identifier referenced below for details. Impact An attacker may be able to trigger Remote Code Execution RCE due to improper user input validation, which makes it possible to inject ...

Input validation

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects. During a security audit of Artifact Hub's code base a security researcher identified a bug in which by using symbolic links in certain kinds of repositories load...

CVE-2023-42798

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECTPATHRELEA...

Code injection

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECTPATHRELEA...

CVE-2023-42798 AutomataCI Release Job Can Revert Repo to First Commit

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECTPATHRELEA...

CVE-2023-42798

AutomataCI is exposed to a release-job issue in 1.4.1 and earlier where the release job can reset the repo root to the very first commit. A fix exists in version 1.5.0. The recommended workaround is to ensure the PROJECT_PATH_RELEASE (e.g., releases/) directory is manually and actually git-cloned...

CVE-2023-42798 AutomataCI Release Job Can Revert Repo to First Commit

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECTPATHRELEA...

CVE-2023-42798 AutomataCI Release Job Can Revert Repo to First Commit

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECTPATHRELEA...

Arbitrary File Overwrite

org.eclipse.jgit is vulnerable to Arbitrary File Overwrite. The vulnerability is due to a symbolic link present in a specially crafted git repository which can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem...

CVE-2023-4759

Arbitrary File Overwrite in Eclipse JGit = 6.6.0 In Eclipse JGit, all versions = 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive...

CVE-2023-4759

CVE-2023-4759 (Eclipse JGit) affects all versions

Information Disclosure

jenkins-2-plugins is vulnerable to Information Disclosure. An attacker can gain information about the existence of jobs configured to use an attacker-specified Git repository...

Cross-Site Request Forgery (CSRF)

jenkins-2-plugins is vulnerable to Cross-Site Request Forgery CSRF. An attacker is able to trigger builds of jobs configured to use an attacker-specified Git repository and cause them to check out an attacker-specified commit...

SUSE CVE-2016-3105

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name...

SUSE CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not ...

ALSA-2023:0611 Important: git security update

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to wo...

Fedora: Security Advisory for rust-pretty-git-prompt (FEDORA-2023-3ec32f6d4e)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Ian Dunn: Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands

Summary Due to the improper usage of the PS1 environment variable in .bashprompt of dotfiles, a malicious repository can execute arbitrary commands when changed the current directory to it. Description The PS1 environment variable of bash supports command substitutions. For example, setting PS1 t...