Published: 12/02/2020 Updated: 17/05/2021

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 831

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Git prior to 1.8.5.6, 1.9.x prior to 1.9.5, 2.0.x prior to 2.0.5, 2.1.x prior to 2.1.4, and 2.2.x prior to 2.2.1 on Windows and OS X; Mercurial prior to 3.2.3 on Windows and OS X; Apple Xcode prior to 6.2 beta 3; mine all versions prior to 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions prior to 08-12-2014; and JGit all versions prior to 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Vulnerable Product	Search on Vulmon	Subscribe to Product
git-scm git
mercurial mercurial
apple xcode
apple xcode 6.2
eclipse egit
eclipse jgit
libgit2 libgit2

Git could be made to run programs as your login if it received specially crafted changes from a remote repository ...

Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command For the oldstable distribution (wheezy), this problem has been fixed in version 222-4+deb7u1 This update also includes a fix for CVE-2014-9390 previously ...

Debian Bug report logs - #783237 mercurial: CVE-2014-9462: command injection via sshpeer_validaterepo() Package: mercurial; Maintainer for mercurial is Python Applications Packaging Team <python-apps-team@listsaliothdebianorg>; Source for mercurial is src:mercurial (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff &l ...

Debian Bug report logs - #773640 CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull Package: mercurial; Maintainer for mercurial is Python Applications Packaging Team <python-apps-team@listsaliothdebianorg>; Source for mercurial is src:mercurial (PTS, buildd, popcon) Repor ...

Debian Bug report logs - #780958 dulwich: CVE-2015-0838: buffer overflow in C implementation of pack apply_delta() Package: src:dulwich; Maintainer for src:dulwich is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 22 Mar 2015 1 ...

Debian Bug report logs - #780989 dulwich: CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree Package: src:dulwich; Maintainer for src:dulwich is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date ...

This Metasploit module exploits CVE-2014-9390, which affects Git (versions less than 1856, 195, 205, 214 and 221) and Mercurial (versions less than 323) and describes three vulnerabilities ...

This module exploits CVE-2014-9390, which affects Git (versions less than 1856, 195, 205, 214 and 221) and Mercurial (versions less than 323) and describes three vulnerabilities On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retriev ...

This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.

msf > use exploit/multi/http/git_client_command_exec
msf exploit(git_client_command_exec) > show targets
    ...targets...
msf exploit(git_client_command_exec) > set TARGET < target-id >
msf exploit(git_client_command_exec) > show options
    ...show and set options...
msf exploit(git_client_command_exec) > exploit

This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows "short names" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.

msf > use exploit/multi/http/git_client_command_exec
msf exploit(git_client_command_exec) > show targets
    ...targets...
msf exploit(git_client_command_exec) > set TARGET < target-id >
msf exploit(git_client_command_exec) > show options
    ...show and set options...
msf exploit(git_client_command_exec) > exploit

This is a simple webscraper built using Scrapy.

FAQ I have XCode installed (and consequently its bundled git); how do I get my system to use this version instead? Xcode installs its git to /usr/bin/git; recent versions of OS X (Yosemite and later) ship with stubs in /usr/bin, which take precedence over this git To overcome, do the following: sudo mv /usr/bin/git /usr/bin/git-system sudo ln -sf /usr/local/git/bin/git /usr/bi

Mac

FAQ I have XCode installed (and consequently its bundled git); how do I get my system to use this version instead? Xcode installs its git to /usr/bin/git; recent versions of OS X (Yosemite and later) ship with stubs in /usr/bin, which take precedence over this git To overcome, do the following: sudo mv /usr/bin/git /usr/bin/git-system sudo ln -sf /usr/local/git/bin/git /usr/bi

CWE-20 https://news.ycombinator.com/item?id=8769667 http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html https://github.com/blog/1938-git-client-vulnerability-announced http://securitytracker.com/id?1031404 http://article.gmane.org/gmane.linux.kernel/1853266 http://mercurial.selenic.com/wiki/WhatsNew http://support.apple.com/kb/HT204147 https://libgit2.org/security/https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915 https://usn.ubuntu.com/2470-1/https://nvd.nist.gov

CVE-2014-9390

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect