CVE-2014-9390 — CRITICAL (9.8)

Q: How severe is CVE-2014-9390?

CVE-2014-9390 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2014-9390?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Apple Mac Os X, Microsoft Windows, Mercurial Mercurial, Apple Xcode.

Vulnerability Description

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Git-Scm	Git	< 1.8.5.6
Apple	Mac Os X	-
Microsoft	Windows	-
Mercurial	Mercurial	< 3.2.3
Apple	Xcode	<= 6.1.1
Eclipse	Egit	< 08-12-2014
Eclipse	Jgit	< 3.4.2
Libgit2	Libgit2	< 0.21.3

Related Weaknesses (CWE)

CWE-20

References

http://article.gmane.org/gmane.linux.kernel/1853266Broken Link
http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.htmlThird Party Advisory
http://mercurial.selenic.com/wiki/WhatsNewRelease NotesThird Party Advisory
http://securitytracker.com/id?1031404Third Party AdvisoryVDB Entry
http://support.apple.com/kb/HT204147Vendor Advisory
https://github.com/blog/1938-git-client-vulnerability-announcedVendor Advisory
https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b369Third Party Advisory
https://libgit2.org/security/Product
https://news.ycombinator.com/item?id=8769667Issue TrackingPatchThird Party Advisory
http://article.gmane.org/gmane.linux.kernel/1853266Broken Link
http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.htmlThird Party Advisory
http://mercurial.selenic.com/wiki/WhatsNewRelease NotesThird Party Advisory
http://securitytracker.com/id?1031404Third Party AdvisoryVDB Entry
http://support.apple.com/kb/HT204147Vendor Advisory
https://github.com/blog/1938-git-client-vulnerability-announcedVendor Advisory

FAQ

What is CVE-2014-9390?

CVE-2014-9390 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; m...

How severe is CVE-2014-9390?

CVE-2014-9390 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2014-9390?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Apple Mac Os X, Microsoft Windows, Mercurial Mercurial, Apple Xcode.