CVE-2014-9390: Input Validation
First published: Wed Feb 12 2020(Updated: )
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Git-scm Git | <1.8.5.6 | |
| Git-scm Git | >=1.9.0<1.9.5 | |
| Git-scm Git | >=2.0.0<2.0.5 | |
| Git-scm Git | >=2.1.0<2.1.4 | |
| Git-scm Git | >=2.2.0<2.2.1 | |
| Apple Mac OS X | ||
| Microsoft Windows | ||
| Mercurial Mercurial | <3.2.3 | |
| Apple Xcode | <=6.1.1 | |
| Apple Xcode | =6.2 | |
| Apple Xcode | =6.2-beta_2 | |
| Eclipse Egit | <08-12-2014 | |
| Eclipse JGit | <3.4.2 | |
| Eclipse JGit | >=3.5.0<3.5.3 | |
| Libgit2 Libgit2 | <0.21.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://article.gmane.org/gmane.linux.kernel/1853266
- http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
- http://mercurial.selenic.com/wiki/WhatsNew
- http://securitytracker.com/id?1031404
- http://support.apple.com/kb/HT204147
- https://github.com/blog/1938-git-client-vulnerability-announced
- https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
- https://libgit2.org/security/
- https://news.ycombinator.com/item?id=8769667
Frequently Asked Questions
What is the severity of CVE-2014-9390?
The severity of CVE-2014-9390 is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2014-9390?
Git versions before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial versions before 3.2.3 on Windows and OS X; Apple Xcode versions before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014.
How can I fix CVE-2014-9390 on Windows and OS X?
To fix CVE-2014-9390 on Windows and OS X, you need to update Git to version 1.8.5.6 or later, Mercurial to version 3.2.3 or later, and Apple Xcode to version 6.2 beta 3 or later.
Is Apple Mac OS X vulnerable to CVE-2014-9390?
No, Apple Mac OS X is not vulnerable to CVE-2014-9390.
Where can I find more information about CVE-2014-9390?
You can find more information about CVE-2014-9390 at the following references: [link1](http://article.gmane.org/gmane.linux.kernel/1853266), [link2](http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html), [link3](http://mercurial.selenic.com/wiki/WhatsNew).
- collector/nvd-index
- agent/severity
- agent/author
- vendor/git-scm
- canonical/git-scm git
- version/git-scm git/1.9.0
- version/git-scm git/2.0.0
- version/git-scm git/2.1.0
- version/git-scm git/2.2.0
- vendor/apple
- canonical/apple mac os x
- vendor/microsoft
- canonical/microsoft windows
- vendor/mercurial
- canonical/mercurial mercurial
- canonical/apple xcode
- version/apple xcode/6.1.1
- version/apple xcode/6.2
- version/apple xcode/6.2-beta_2
- vendor/eclipse
- canonical/eclipse egit
- canonical/eclipse jgit
- version/eclipse jgit/3.5.0
- vendor/libgit2
- canonical/libgit2 libgit2