Ubuntu.comUB:CVE-2014-9390CVE-2014-9390
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.951 High
EPSS
Percentile
99.3%
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before
2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3
on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions
before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions
before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git
servers to execute arbitrary commands via a tree containing a crafted
.git/config file with (1) an ignorable Unicode codepoint, (2) a
git~1/config representation, or (3) mixed case that is improperly handled
on a case-insensitive filesystem.
Bugs
Notes
| Author | Note |
|---|---|
| kees | This CVE is about the git VCS. The βgitβ from hardy and earlier is not what was βgit-coreβ. |
| jdstrand | Maverick and later renamed βgit-coreβ to βgitβ, so βgitβ in these releases does refer to git VCS. initially marked βlowβ since default filesystems on Ubuntu are case-sensitive, however file servers serving these reopositories to clients need to be patched, so upping to medium |
| tyhicks | git upstream fixed a minor regression in the HFS+ .git filtering with commit 6aaf956b |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 17.10 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 18.04 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 18.10 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 19.04 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 19.10 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 20.04 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 20.10 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 21.04 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 21.10 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
| ubuntu | 22.04 | noarch | git | <Β 1:2.1.4-2 | UNKNOWN |
References
article.gmane.org/gmane.linux.kernel/1853266
git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html
mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29
developer.atlassian.com/blog/2014/12/securing-your-git-server/
launchpad.net/bugs/cve/CVE-2014-9390
nvd.nist.gov/vuln/detail/CVE-2014-9390
security-tracker.debian.org/tracker/CVE-2014-9390
ubuntu.com/security/notices/USN-2470-1
www.cve.org/CVERecord?id=CVE-2014-9390
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.951 High
EPSS
Percentile
99.3%