#VU23500 Absolute Path Traversal in Git - CVE-2019-1351


| Updated: 2019-12-11

Vulnerability identifier: #VU23500

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-1351

CWE-ID: CWE-36

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git
Client/Desktop applications / Software for system administration

Vendor: Git

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the Git for Visual Studio improperly handles virtual drive paths. A remote attacker can clone a file using a specially crafted path and write arbitrary files and directories to certain locations on a vulnerable system.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git: 2.14 - 2.19.2, 2.20.0 - 2.24.0

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Absolute Path Traversal in libgit2-1.0 (Alpine package)
OpenSUSE Linux update for git
Gentoo update for Git
OpenSUSE Linux update for git
Multiple vulnerabilities in Git
Ubuntu update for Git
Amazon Linux AMI update for git
Fedora 31 update for libgit2
Multiple vulnerabilities in Microsoft Git for Visual Studio
Absolute Path Traversal in git (Alpine package)