CVE-2021-21300

Summary: CVE-2021-21300 affects Git when cloning into case-insensitive file systems and using certain clean/smudge filters (e.g., Git LFS). A specially crafted repository containing symbolic links and files processed by these filters can cause an unchecked script to run during checkout. Affected ...

CVE-2022-23521

CVE-2022-23521 affects Git. The issue arises from parsing gitattributes, where very large path patterns or attribute names can trigger integer overflows, leading to arbitrary heap reads/writes and potentially remote code execution. Git’s handling of long lines (>2KB) in gitattributes (from fil...

CVE-2022-41903

CVE-2022-41903 describes a heap-write overflow in Git during commit formatting when processing padding operators in pretty.c (format_and_pad_commit), where a size_t is mishandled as an int and added to memcpy() offsets. This can be triggered by commands using --format (e.g., git log) or indirectl...

CVE-2022-39253

Summary (facts grounded to provided docs): CVE-2022-39253 affects Git versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, exposing sensitive data via local clones where source and target are on the same volume. The vulnerability arises when cloning a repository l...

CVE-2018-17456

CVE-2018-17456 is a remote code execution in Git triggered when processing a recursive clone of a superproject if a .gitmodules URL starts with a dash. Affected Git versions include 2.14.5 and later 2.15.x/2.16.x/2.17.x/2.18.x/2.19.x before the fixed releases listed (e.g., 2.14.5 and subsequent u...

CVE-2023-23946

Git is affected by CVE-2023-23946. Prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8, a crafted input to git apply can cause a path outside the working tree to be overwritten by the running user. A fix is prepared and will be released in the list...

CVE-2023-29007

Git CVE-2023-29007 affects multiple Git versions prior to 2.30.9–2.40.1. A bug in config.c (git_config_copy_or_rename_section_in_file) allows injection of arbitrary configuration via a long .gitmodules submodule URL, enabling execution of user-controlled executables when removing a submodule sect...

CVE-2022-39260

Git Shell command-argument parsing bug (CVE-2022-39260) in pre-2.30.6…2.37.4 allows an attacker with SSH access to a Git shell login to overflow an int-based count when building the argv array, enabling arbitrary heap writes and potential remote code execution via execv(). Affected setups require...

CVE-2023-25652

CVE-2023-25652 affects Git before 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1.** The vulnerability arises when feeding specially crafted input to git apply --reject, which can cause a path outside the working tree to be overwritten with partially con...

CVE-2023-22490

Git prior to 2.39.4–2.39.4 etc. versions 2.30.8–2.39.2 (and 2.31.7, 2.32.6, 2.33.7, 2.34.7, 2.35.7, 2.36.5, 2.37.6, 2.38.4, 2.39.2) can be tricked via local clone optimization when cloning from a non-local transport, allowing potential data exfiltration through manipulating the $GIT_DIR/objects p...

CVE-2020-5260

CVE-2020-5260 affects Git by newline-injection in the credential helper protocol, enabling a crafted URL to exfiltrate credentials from one host to another. Affected Git releases were patched in April 2020; fixes are in 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26....

CVE-2022-24765

CVE-2022-24765 affects Git on multi-user systems where untrusted users can create a C:.git directory; Git would then read and apply configuration from that directory, potentially altering behavior outside the intended repository. The issue arises from Git not checking directory ownership when rea...

CVE-2020-11008

Technical details for CVE-2020-11008 are not present in the provided connected documents. The sources discuss related CVEs and general Git credential leakage vectors but do not specify affected versions, root cause, fixes, or exploitation status for this CVE. Monitor for updates.

CVE-2019-1387

CVE-2019-1387 affects Git prior to the fix in 2.24.1, due to too-lax validation of submodule names during recursive clones. This could allow remote code execution when cloning a repository with submodules. Public advisories note the vulnerability and cite fixes in Git versions 2.24.1 and later; s...

CVE-2018-11235

CVE-2018-11235 affects Git prior to 2.17.1 (and also 2.13.7, 2.14.4, 2.15.2, 2.16.4, 2.17.1 as listed in advisories). A crafted .gitmodules file can cause directory traversal in submodule names, leading to a malicious project triggering a chain where submodule names are appended to $GIT_DIR/modul...

CVE-2019-19604

Git before 2.24.1 is vulnerable to arbitrary command execution via recursive submodule updates because a malicious .gitmodules can cause commands to be run. Affected ranges include 2.20.2, 2.21.x, 2.22.x, 2.23.x, and 2.24.x prior to 2.24.1. Remediation: upgrade to Git 2.24.1 or later (UPC/ALAS re...

CVE-2024-32465

Git vulnerability CVE-2024-32465 affects local-cloning scenarios and can allow arbitrary code execution when cloning repositories from untrusted sources. Astra Linux documents indicate affected Git before 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, with patches in 2.45.1, 2.44.1, ...

CVE-2024-32004

CVE-2024-32004 affects Git and enables arbitrary code execution during cloning when a local repository is crafted by an attacker. It targets pre-patch releases prior to 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Affected versions can execute code during the clone operation if the...

CVE-2024-32020

CVE-2024-32020 concerns Git’s local clone optimization on the same disk, where source and target repositories owned by different users may result in hardlinked files in the target’s object database that can be rewritten by an untrusted user. Affected Git versions prior to 2.45.1, 2.44.1, 2.43.4, ...

CVE-2024-32021

CVE-2024-32021 affects Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. When cloning a local repository that contains symlinks over the filesystem, Git may create hardlinks to arbitrary user-readable files in the destination repo’s objects/ directory. Also, clonin...

CVE-2017-1000117

CVE-2017-1000117 is a command-injection vulnerability in Git caused by insufficient validation of ssh:// URL handling, enabling arbitrary code execution when a malicious URL is processed (e.g., via git clone --recurse-submodules or a crafted .gitmodules). The connected advisories confirm the issu...

CVE-2018-11233

CVE-2018-11233 affects Git on NTFS pathname sanity checking, causing potential out-of-bounds reads. Affected: Git versions before 2.13.7, and 2.14.x/2.15.x/2.16.x/2.17.x before the listed patch levels. Impact: potential information disclosure and/or memory access concerns; no explicit exploitatio...

CVE-2019-1348

CVE-2019-1348 affects Git prior to 2.24.1 (including 2.23.1, 2.22.2, 2.21.1, etc.). The root cause is that the --export-marks feature of git fast-import is exposed through the in-stream command export-marks=... mechanism, which can overwrite arbitrary paths. This creates a local-attack surface wh...

CVE-2021-40330

CVE-2021-40330 affects the Git project: in git_connect_git (connect.c) of Git before 2.30.1, a repository path can contain a newline character, which may trigger unexpected cross-protocol requests as demonstrated by a crafted git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 sequence. The vulne...

CVE-2025-48384

Git vulnerability CVE-2025-48384 arises from Git’s handling of trailing CR characters in config and submodule paths, which can cause a submodule to checkout to an incorrect location and potentially execute a post-checkout hook if a symlink points to the hooks directory. The issue affects Git and ...

CVE-2022-29187

CVE-2022-29187 – Git privilege escalation (details from connected docs): Affects Git on multi-user/local systems where the repository owner can influence commands via local repo configuration ownership checks. The root cause is failure to properly enforce ownership checks in local multi-user envi...

CVE-2019-1353

CVE-2019-1353 concerns Git behavior under Windows Subsystem for Linux (WSL) when accessing a Windows NTFS working directory, where NTFS protections were not active. Connected documents link a related issue in libgit2 (NTFS filename handling) that can enable remote code execution during repository...

CVE-2017-14867

CVE-2017-14867 affects Git and is caused by unsafe Perl scripts used to support subcommands (notably cvsserver). Vulnerable builds include Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2. The flaw allows an attacker to execute arbitrar...

CVE-2014-9390

CVE-2014-9390 describes a remote command-execution risk in Git and several VCS clients when interacting with repositories on case-insensitive filesystems. A crafted .git/config in a tree can trigger arbitrary commands on the server/client, depending on the tool. Affected versions (per provided so...

CVE-2017-15298

CVE-2017-15298 is linked to Git up to version 2.14.2, where a vulnerability in how layers of tree objects are handled can allow a remote attacker to cause a denial of service via a crafted repository, with potential disk impact. The issue arises from memory data structure construction that may ex...

CVE-2022-24975

Technical details about CVE-2022-24975 are not publicly provided in the supplied documents. No vendor/product/version specifics or fixes are described here. Monitor for updates from official advisories.

CVE-2022-41953

CVE-2022-41953 affects Git GUI (Git for Windows). When cloning a repository with Git GUI, post-processing may run a spell checker binary named aspell.exe from the repository’s top-level directory due to Tcl on Windows searching the current directory first. If a malicious repo ships a crafted aspe...

CVE-2014-9938

CVE-2014-9938 is disclosed in multiple feeds as a vulnerability in Git where the git-prompt.sh script failed to sanitize branch names, enabling potential code execution via PS1 in affected Git versions. Connected documents corroborate this vulnerability as part of EulerOS advisories and Nessus/NV...

CVE-2018-19486

CVE-2018-19486 : Git before 2.19.2 on Linux/UNIX executes commands from the current working directory in certain cases involving the run_command() API and run-command.c, caused by a change from execvp to execv in 2017. The vulnerability can allow commands to be executed from the current directory...

CVE-2016-2315

CVE-2016-2315 : Git before 2.7.4 contains an integer truncation/overrun in revision.c that can cause a heap-based buffer overflow when handling crafted path information (e.g., long filenames or many nested trees). This may allow remote code execution. A fix is to update Git to version 2.7.4 or la...

CVE-2016-2324

CVE-2016-2324 affects Git prior to 2.7.4. A heap-based buffer overflow is triggered by path-related inputs (e.g., long filenames or deeply nested trees), enabling remote code execution. Public advisories from Debian, Ubuntu, Arch, CentOS, and Cloud Foundry reference two related buffer-overflow vu...

CVE-2018-1000021

Technical details on CVE-2018-1000021 are not publicly provided in the connected documents. Please monitor for updates from the vendor/CNA and the CVE entry for any affected products, impact and remediation information.

CVE-2010-2542

Git: Privilege escalation vulnerability CVE-2010-2542 — stack-based buffer overflow in is_git_directory (setup.c) in Git up to 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file. Affected: Git before 1.7.2.1. Impact: local privilege escalation. Mitigation: upgra...

CVE-2013-0308

CVE-2013-0308 affects the git tool’s imap-send command: prior to version 1.8.1.4, it does not verify that the SSL server hostname matches the certificate’s CN/subjectAltName, enabling MITM spoofing with any valid cert. Affected releases include git versions before 1.8.1.4; multiple advisories (e....

CVE-2010-3906

CVE-2010-3906 is an XSS in gitweb (Git web interface) for Git versions up to 1.7.3.3 and earlier, exploitable via the f and fp parameters to craft arbitrary script/HTML. Multiple advisories report remote injection through gitweb, with openSUSE openSUSE-SU-2011:0115-1 and Debian backports patches ...

CVE-2008-5516

CVE-2008-5516 affects Git-related web interface gitweb (1.5.x up to 1.5.5). The issue arises in the gitweb.cgi script’s handling of git_search input, where shell metacharacters are not properly sanitized, enabling an unauthenticated remote attacker to execute arbitrary commands on the server with...