Skip to content

Security: git package has 15 vulnerabilities #116

New issue
New issue
Open
Open
Security: git package has 15 vulnerabilities#116
Labels
securityvulnerability
@sajjaphani

Description

@sajjaphani
sajjaphani
opened on May 23, 2025

Security Vulnerabilities in git v2.39.1

The current version of git (2.39.1) has 15 known security vulnerabilities. The associated plan file is available here.

ID Severity Score Source Detail
CVE-2018-1000110 MEDIUM 5.3 NVD View
CVE-2018-1000182 MEDIUM 6.4 NVD View
CVE-2019-1003010 MEDIUM 4.3 NVD View
CVE-2020-2136 MEDIUM 5.4 NVD View
CVE-2021-21684 MEDIUM 6.1 NVD View
CVE-2022-30947 HIGH 7.5 NVD View
CVE-2022-36882 HIGH 8.8 NVD View
CVE-2022-36883 HIGH 7.5 NVD View
CVE-2022-36884 MEDIUM 5.3 NVD View
CVE-2022-38663 MEDIUM 6.5 NVD View
CVE-2023-22490 MEDIUM 5.5 NVD View
CVE-2023-23946 MEDIUM 6.2 NVD View
CVE-2023-25652 HIGH 7.5 NVD View
CVE-2023-29007 HIGH 7.0 NVD View
CVE-2024-32002 CRITICAL 9.0 NVD View

Detailed Information

1. CVE-2018-1000110

Summary: An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.

Published: 2018-03-13T13:29:00.640
Last Modified: 2024-11-21T03:39:39.963

CVSSv3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSSv2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:

2. CVE-2018-1000182

Summary: A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

Published: 2018-06-05T20:29:00.373
Last Modified: 2024-11-21T03:39:52.420

CVSSv3.0: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSSv2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:

3. CVE-2019-1003010

Summary: A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

Published: 2019-02-06T16:29:00.563
Last Modified: 2024-11-21T04:17:44.057

CVSSv3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSSv2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:

4. CVE-2020-2136

Summary: Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

Published: 2020-03-09T16:15:12.797
Last Modified: 2024-11-21T05:24:45.417

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSSv2.0: AV:N/AC:M/Au:S/C:N/I:P/A:N
References:

5. CVE-2021-21684

Summary: Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

Published: 2021-10-06T23:15:06.977
Last Modified: 2024-11-21T05:48:49.770

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:

6. CVE-2022-30947

Summary: Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

Published: 2022-05-17T15:15:08.797
Last Modified: 2024-11-21T07:03:36.643

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSSv2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:

7. CVE-2022-36882

Summary: A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Published: 2022-07-27T15:15:08.827
Last Modified: 2024-11-21T07:13:58.690

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

8. CVE-2022-36883

Summary: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Published: 2022-07-27T15:15:08.880
Last Modified: 2024-11-21T07:13:58.903

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:

9. CVE-2022-36884

Summary: The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

Published: 2022-07-27T15:15:08.933
Last Modified: 2024-11-21T07:13:59.117

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:

10. CVE-2022-38663

Summary: Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (gitUsernamePassword) credentials binding.

Published: 2022-08-23T17:15:15.257
Last Modified: 2024-11-21T07:16:53.420

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:

11. CVE-2023-22490

Summary: Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links, the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with --recurse-submodules. Instead, consider cloning repositories without recursively cloning their submodules, and instead run git submodule update at each layer. Before doing so, inspect each new .gitmodules file to ensure that it does not contain suspicious module URLs.

Published: 2023-02-14T20:15:16.683
Last Modified: 2024-11-21T07:44:54.803

CVSSv3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
References:

12. CVE-2023-23946

Summary: Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Published: 2023-02-14T20:15:17.457
Last Modified: 2024-11-21T07:47:09.383

CVSSv3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:

13. CVE-2023-25652

Summary: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Published: 2023-04-25T20:15:09.933
Last Modified: 2024-11-21T07:49:52.417

CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:

14. CVE-2023-29007

Summary: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Published: 2023-04-25T21:15:10.403
Last Modified: 2024-11-21T07:56:22.897

CVSSv3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

15. CVE-2024-32002

Summary: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Published: 2024-05-14T19:15:10.810
Last Modified: 2024-11-21T09:14:19.267

CVSSv3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References:

Metadata

Metadata

Assignees

No one assigned

    Labels

    securityvulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions