CVE-2019-19604 — HIGH (7.8)

Q: How severe is CVE-2019-19604?

CVE-2019-19604 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-19604?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.

Vulnerability Description

Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Git-Scm	Git	< 2.20.0
Debian	Debian Linux	9.0
Fedoraproject	Fedora	30
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-78 CWE-862

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/13/1Mailing ListThird Party Advisory
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodExploitThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.24.1.tThird Party Advisory
https://security.gentoo.org/glsa/202003-30Third Party Advisory
https://www.debian.org/security/2019/dsa-4581Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/13/1Mailing ListThird Party Advisory
https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodExploitThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2019-19604?

CVE-2019-19604 is a vulnerability with a CVSS score of 7.8 (HIGH). Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can ...

How severe is CVE-2019-19604?

CVE-2019-19604 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-19604?

Check the references section above for vendor advisories and patch information. Affected products include: Git-Scm Git, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.