CVE-2019-1387
moderate-risk
Published 2019-12-18
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
Do I need to act?
~
2.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Vendors
References (27)
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4356
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4356
and 7 more references
45
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
5/34 · Minimal
Exposure
10/34 · Low