Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-9390

Опубликовано: 18 дек. 2014
Источник: redhat
CVSS2: 4
EPSS Средний

Описание

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Отчет

This flaw is only exploitable when the local git repository is stored on a case-insensitive filesystem. By default, Red Hat Enterprise Linux uses case-sensitive filesystems (such as ext2/3/4, XFS, etc.) and as such is not vulnerable to this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6gitNot affected
Red Hat Enterprise Linux 7gitNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-20->CWE-172->CWE-552->CWE-829
https://bugzilla.redhat.com/show_bug.cgi?id=1175960git: arbitrary command execution vulnerability on case-insensitive file systems

EPSS

Процентиль: 98%
0.5996
Средний

4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-9390

CVSS3: 9.8
ubuntu
почти 6 лет назад

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

nvd логотип

CVE-2014-9390

CVSS3: 9.8
nvd
почти 6 лет назад

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

debian логотип

CVE-2014-9390

CVSS3: 9.8
debian
почти 6 лет назад

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x befo ...

github логотип

GHSA-6vvc-c2m3-cjf3

CVSS3: 9.8
github
больше 3 лет назад

JGit Improper Input Validation vulnerability

EPSS

Процентиль: 98%
0.5996
Средний

4 Medium

CVSS2