CVE-2014-9390
Summary
| CVE | CVE-2014-9390 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-02-12 02:15:00 UTC |
| Updated | 2021-05-17 19:54:00 UTC |
| Description | Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Mac Os X | - | All | All | All |
| Operating System | Apple | Mac Os X | - | All | All | All |
| Application | Apple | Xcode | 6.2 | - | All | All |
| Application | Apple | Xcode | 6.2 | beta_2 | All | All |
| Application | Apple | Xcode | 6.2 | - | All | All |
| Application | Apple | Xcode | 6.2 | beta_2 | All | All |
| Application | Apple | Xcode | All | All | All | All |
| Application | Eclipse | Egit | All | All | All | All |
| Application | Eclipse | Egit | - | All | All | All |
| Application | Eclipse | Egit | - | All | All | All |
| Application | Eclipse | Jgit | All | All | All | All |
| Application | Eclipse | Jgit | - | All | All | All |
| Application | Eclipse | Jgit | - | All | All | All |
| Application | Git-scm | Git | All | All | All | All |
| Application | Git-scm | Git | All | All | All | All |
| Application | Libgit2 | Libgit2 | All | All | All | All |
| Application | Libgit2 | Libgit2 | - | All | All | All |
| Application | Libgit2 | Libgit2 | - | All | All | All |
| Application | Mercurial | Mercurial | All | All | All | All |
| Application | Mercurial | Mercurial | All | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Git client vulnerability announced | Hacker News | MISC | news.ycombinator.com | Issue Tracking, Patch, Third Party Advisory |
| Git Blame: Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and thanking friends in Mercurial land | MISC | git-blame.blogspot.com | Third Party Advisory |
| tree: Check for `.git` with case insensitivy · libgit2/libgit2@928429c · GitHub | MISC | github.com | |
| Apple Xcode Git Path Validation Flaw Lets Remote Users Add Files to the '.git' Folder - SecurityTracker | MISC | securitytracker.com | Third Party Advisory, VDB Entry |
| Vulnerability announced: update your Git clients · GitHub | MISC | github.com | Vendor Advisory |
| About the security content of Xcode 6.2 beta 3 - Apple Support | MISC | support.apple.com | Vendor Advisory |
| WhatsNew - Mercurial | MISC | mercurial.selenic.com | Release Notes, Third Party Advisory |
| Gmane -- ANNOUNCE Git v2.2.1 and updates to older maintenance tracks | MISC | article.gmane.org | Broken Link |
| libgit2 | MISC | libgit2.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.