CVE-2018-19486

moderate-risk
Published 2018-11-23

Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.

Do I need to act?

-
0.66% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 98cdfbb84ad2ed6a2eb43dafa357a70a4b0a0fad
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Git

Affected Vendors

Canonical Git-Scm

References (14)

Third Party Advisory http://www.securityfocus.com/bid/106020
Third Party Advisory http://www.securitytracker.com/id/1042166
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3800
Mailing List https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd82389742398d2924640ce...
Release Notes https://git.kernel.org/pub/scm/git/git.git/tree/Documentation/RelNotes/2.19.2.tx...
https://security.gentoo.org/glsa/201904-13
Third Party Advisory https://usn.ubuntu.com/3829-1/
Third Party Advisory http://www.securityfocus.com/bid/106020
Third Party Advisory http://www.securitytracker.com/id/1042166
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3800
Mailing List https://git.kernel.org/pub/scm/git/git.git/commit/?id=321fd82389742398d2924640ce...
Release Notes https://git.kernel.org/pub/scm/git/git.git/tree/Documentation/RelNotes/2.19.2.tx...
https://security.gentoo.org/glsa/201904-13
Third Party Advisory https://usn.ubuntu.com/3829-1/
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 9/34 · Low