CVE-2019-1387

HIGH8.8EPSS 1.9%

git - security update

Published: 12/18/2019Modified: 3/9/2026

Also known as:ALPINE-CVE-2019-1387DEBIAN-CVE-2019-1387DEBIAN-CVE-2023-25652DEBIAN-CVE-2023-25815DEBIAN-CVE-2023-29007DEBIAN-CVE-2024-32002DEBIAN-CVE-2024-32004DEBIAN-CVE-2024-32021DEBIAN-CVE-2024-32465DLA-3844-1

Description

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Affected packages (5)

Alpine/gitfrom 0, < 2.22.2-r0
Alpine/libgit2from 0, < 0.28.4-r0
Debian/gitfrom 0, < 1:2.30.2-1+deb11u3
Debian/gitfrom 0, < 1:2.20.1-2+deb10u9
Debian/gitfrom 0, < 1:2.30.2-1+deb11u3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-1387
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-1387