Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Git Subscribe
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-25648 3 Debian, Fedoraproject, Git 4 Debian Linux, Extra Packages For Enterprise Linux, Fedora and 1 more 2023-02-16 7.5 HIGH 9.8 CRITICAL
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
CVE-2008-5516 3 Git, Git-scm, Rpath 3 Git, Git, Linux 2023-02-12 7.5 HIGH N/A
The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.
CVE-2008-5517 1 Git 1 Git 2023-02-12 7.5 HIGH N/A
The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote attackers to execute arbitrary commands via shell metacharacters related to (1) git_snapshot and (2) git_object.
CVE-2020-5260 6 Canonical, Debian, Fedoraproject and 3 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2021-03-19 5.0 MEDIUM 7.5 HIGH
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., for an HTTP request being made to another server (e.g.,, resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
CVE-2010-3906 2 Git, Git-scm 2 Git, Git 2021-01-26 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Gitweb and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
CVE-2017-8386 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2019-10-02 6.5 MEDIUM 8.8 HIGH
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
CVE-2008-3546 2 Git, Linux 2 Git, Parduslinux 2018-10-11 7.5 HIGH N/A
Stack-based buffer overflow in the (1) diff_addremove and (2) diff_change functions in GIT before might allow local users to execute arbitrary code via a PATH whose length is larger than the system's PATH_MAX when running GIT utilities such as git-diff or git-grep.
CVE-2009-2108 1 Git 1 Git 2017-08-16 5.0 MEDIUM N/A
git-daemon in git through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments.
CVE-2008-5916 1 Git 1 Git 2017-08-07 4.6 MEDIUM N/A
gitweb/gitweb.perl in gitweb in Git 1.6.x before, 1.5.6.x before, 1.5.5.x before, 1.5.4.x before, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query.
CVE-2006-0477 1 Git 1 Git 2017-07-19 7.5 HIGH N/A
Buffer overflow in git-checkout-index in GIT before 1.1.5 allows remote attackers to execute arbitrary code via an index file with a long symbolic link.