{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","type":"deb","namespace":"debian","name":"git","version":"1:2.30.2-1+deb11u2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1:2.30.2-1+deb11u3","latest_non_vulnerable_version":"1:2.53.0-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70334?format=json","vulnerability_id":"VCID-92ej-fqvf-zuf5","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32020.json","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32020.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32020","reference_id":"","reference_type":"","scores":[{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39631","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39667","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.3967","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39643","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00181","scoring_system":"epss","scoring_elements":"0.39615","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32020"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32020","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32020"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160","reference_id":"1071160","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160"},{"reference_url":"https://github.com/git/git/commit/1204e1a824c34071019fe106348eaa6d88f9528d","reference_id":"1204e1a824c34071019fe106348eaa6d88f9528d","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T14:32:40Z/"}],"url":"https://github.com/git/git/commit/1204e1a824c34071019fe106348eaa6d88f9528d"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","reference_id":"2","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T14:32:40Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280466","reference_id":"2280466","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280466"},{"reference_url":"https://github.com/git/git/commit/9e65df5eab274bf74c7b570107aacd1303a1e703","reference_id":"9e65df5eab274bf74c7b570107aacd1303a1e703","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T14:32:40Z/"}],"url":"https://github.com/git/git/commit/9e65df5eab274bf74c7b570107aacd1303a1e703"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-5rfh-556j-fhgj","reference_id":"GHSA-5rfh-556j-fhgj","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T14:32:40Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-5rfh-556j-fhgj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4083","reference_id":"RHSA-2024:4083","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4083"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4084","reference_id":"RHSA-2024:4084","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4084"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4368","reference_id":"RHSA-2024:4368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4368"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","reference_id":"S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-15T14:32:40Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"},{"reference_url":"https://usn.ubuntu.com/6793-1/","reference_id":"USN-6793-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-1/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96465?format=json","purl":"pkg:deb/debian/git@1:2.45.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.45.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-32020"],"risk_score":1.8,"exploitability":"0.5","weighted_severity":"3.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92ej-fqvf-zuf5"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70348?format=json","vulnerability_id":"VCID-11p9-2v3p-17ds","summary":"Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27613.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27613.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27613","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10416","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13669","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13583","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13705","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13709","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27613"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27613","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27613"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983","reference_id":"1108983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379124","reference_id":"2379124","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379124"},{"reference_url":"https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5","reference_id":"465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5","reference_type":"","scores":[{"value":"3.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:55:29Z/"}],"url":"https://github.com/j6t/gitk/compare/465f03869ae11acd04abfa1b83c67879c867410c..026c397d911cde55924d7eb1311d0fd6e2e105d5"},{"reference_url":"https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652","reference_id":"7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652","reference_type":"","scores":[{"value":"3.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:55:29Z/"}],"url":"https://github.com/j6t/gitk/compare/7dd272eca153058da2e8d5b9960bbbf0b4f0cbaa..67a128b91e25978a15f9f7e194d81b441d603652"},{"reference_url":"https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v","reference_id":"GHSA-f3cw-xrj3-wr2v","reference_type":"","scores":[{"value":"3.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:55:29Z/"}],"url":"https://github.com/j6t/gitk/security/advisories/GHSA-f3cw-xrj3-wr2v"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96472?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u5%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96473?format=json","purl":"pkg:deb/debian/git@1:2.50.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.50.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-27613"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11p9-2v3p-17ds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70351?format=json","vulnerability_id":"VCID-1etp-q9pp-7ygd","summary":"Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27614.json","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27614.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27614","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06507","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08577","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08523","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08571","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08593","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27614"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983","reference_id":"1108983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379125","reference_id":"2379125","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379125"},{"reference_url":"https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129","reference_id":"8e3070aa5e331be45d4d03e3be41f84494fce129","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:54:41Z/"}],"url":"https://github.com/j6t/gitk/commit/8e3070aa5e331be45d4d03e3be41f84494fce129"},{"reference_url":"https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc","reference_id":"GHSA-g4v5-fjv9-mhhc","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:54:41Z/"}],"url":"https://github.com/j6t/gitk/security/advisories/GHSA-g4v5-fjv9-mhhc"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96435?format=json","purl":"pkg:deb/debian/git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96473?format=json","purl":"pkg:deb/debian/git@1:2.50.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.50.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-27614"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1etp-q9pp-7ygd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70354?format=json","vulnerability_id":"VCID-2d5q-ag3v-xybv","summary":"Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46334","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07337","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09532","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09552","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09534","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09475","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46334"},{"reference_url":"https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9","reference_id":"dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:54:14Z/"}],"url":"https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a1ccd2512072cf52835050f4c97a4fba9f0ec8f9"},{"reference_url":"https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx","reference_id":"GHSA-7px4-9hg2-fvhx","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:54:14Z/"}],"url":"https://github.com/j6t/git-gui/security/advisories/GHSA-7px4-9hg2-fvhx"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96435?format=json","purl":"pkg:deb/debian/git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-46334"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2d5q-ag3v-xybv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70337?format=json","vulnerability_id":"VCID-2hrt-ht7y-b7d3","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32021.json","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32021.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32021","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05986","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06025","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06011","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06009","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05961","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32021"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32021","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32021"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160","reference_id":"1071160","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","reference_id":"2","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:29:23Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280484","reference_id":"2280484","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280484"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7","reference_id":"GHSA-mvxm-9j2h-qjx7","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:29:23Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:29:23Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4083","reference_id":"RHSA-2024:4083","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4083"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4084","reference_id":"RHSA-2024:4084","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4084"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4368","reference_id":"RHSA-2024:4368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4368"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","reference_id":"S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-11T20:29:23Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"},{"reference_url":"https://usn.ubuntu.com/6793-1/","reference_id":"USN-6793-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-1/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96465?format=json","purl":"pkg:deb/debian/git@1:2.45.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.45.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-32021"],"risk_score":1.8,"exploitability":"0.5","weighted_severity":"3.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2hrt-ht7y-b7d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70362?format=json","vulnerability_id":"VCID-2qac-gpbh-d3du","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48385.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48385.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48385","reference_id":"","reference_type":"","scores":[{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40743","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40791","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40761","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.4073","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40786","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48385"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983","reference_id":"1108983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378808","reference_id":"2378808","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378808"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655","reference_id":"GHSA-m98c-vgpc-9655","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-08T18:38:28Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-m98c-vgpc-9655"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11686","reference_id":"RHSA-2025:11686","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11686"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11794","reference_id":"RHSA-2025:11794","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11794"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11795","reference_id":"RHSA-2025:11795","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11795"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13276","reference_id":"RHSA-2025:13276","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13276"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13325","reference_id":"RHSA-2025:13325","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13325"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13933","reference_id":"RHSA-2025:13933","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13933"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14059","reference_id":"RHSA-2025:14059","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14396","reference_id":"RHSA-2025:14396","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14396"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14853","reference_id":"RHSA-2025:14853","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14853"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14858","reference_id":"RHSA-2025:14858","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14858"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15672","reference_id":"RHSA-2025:15672","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15672"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15827","reference_id":"RHSA-2025:15827","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15827"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15828","reference_id":"RHSA-2025:15828","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15828"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15847","reference_id":"RHSA-2025:15847","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15847"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96435?format=json","purl":"pkg:deb/debian/git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96473?format=json","purl":"pkg:deb/debian/git@1:2.50.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.50.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-48385"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qac-gpbh-d3du"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70359?format=json","vulnerability_id":"VCID-2qtu-z8mx-hqa2","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48384.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48384.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48384","reference_id":"","reference_type":"","scores":[{"value":"0.00603","scoring_system":"epss","scoring_elements":"0.69974","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00603","scoring_system":"epss","scoring_elements":"0.69976","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00603","scoring_system":"epss","scoring_elements":"0.69963","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00603","scoring_system":"epss","scoring_elements":"0.69951","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00603","scoring_system":"epss","scoring_elements":"0.69967","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48384"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48384"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983","reference_id":"1108983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378806","reference_id":"2378806","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378806"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9","reference_id":"GHSA-vwqx-4fm8-6qc9","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-08-26T03:55:23Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11686","reference_id":"RHSA-2025:11686","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11686"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11688","reference_id":"RHSA-2025:11688","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11688"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11793","reference_id":"RHSA-2025:11793","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11793"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11794","reference_id":"RHSA-2025:11794","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11794"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11795","reference_id":"RHSA-2025:11795","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11795"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11796","reference_id":"RHSA-2025:11796","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11796"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11800","reference_id":"RHSA-2025:11800","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11800"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11801","reference_id":"RHSA-2025:11801","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11801"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13276","reference_id":"RHSA-2025:13276","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13276"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13325","reference_id":"RHSA-2025:13325","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13325"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13933","reference_id":"RHSA-2025:13933","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13933"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14059","reference_id":"RHSA-2025:14059","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14396","reference_id":"RHSA-2025:14396","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14396"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14853","reference_id":"RHSA-2025:14853","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14853"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:14858","reference_id":"RHSA-2025:14858","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:14858"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15308","reference_id":"RHSA-2025:15308","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15308"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15672","reference_id":"RHSA-2025:15672","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15672"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15827","reference_id":"RHSA-2025:15827","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15827"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15828","reference_id":"RHSA-2025:15828","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15828"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96472?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u5%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96473?format=json","purl":"pkg:deb/debian/git@1:2.50.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.50.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-48384"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qtu-z8mx-hqa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70330?format=json","vulnerability_id":"VCID-379n-nvbu-aqhw","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32004.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32004.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32004","reference_id":"","reference_type":"","scores":[{"value":"0.02439","scoring_system":"epss","scoring_elements":"0.85474","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02439","scoring_system":"epss","scoring_elements":"0.85473","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02439","scoring_system":"epss","scoring_elements":"0.85478","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02439","scoring_system":"epss","scoring_elements":"0.85459","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32004"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32004","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32004"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160","reference_id":"1071160","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","reference_id":"2","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280428","reference_id":"2280428","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280428"},{"reference_url":"https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8","reference_id":"f4aa8c8bb11dae6e769cd930565173808cbb69c8","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389","reference_id":"GHSA-xfc6-vwr8-r389","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389"},{"reference_url":"https://git-scm.com/docs/git-clone","reference_id":"git-clone","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"https://git-scm.com/docs/git-clone"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4083","reference_id":"RHSA-2024:4083","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4083"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4084","reference_id":"RHSA-2024:4084","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4084"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4368","reference_id":"RHSA-2024:4368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4368"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4579","reference_id":"RHSA-2024:4579","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4579"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6027","reference_id":"RHSA-2024:6027","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6027"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6028","reference_id":"RHSA-2024:6028","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6028"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6610","reference_id":"RHSA-2024:6610","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6610"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7701","reference_id":"RHSA-2024:7701","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7701"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","reference_id":"S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T17:59:29Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"},{"reference_url":"https://usn.ubuntu.com/6793-1/","reference_id":"USN-6793-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-1/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96465?format=json","purl":"pkg:deb/debian/git@1:2.45.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.45.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-32004"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-379n-nvbu-aqhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70302?format=json","vulnerability_id":"VCID-3eya-4jk6-nuf9","summary":"Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39260.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39260.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39260","reference_id":"","reference_type":"","scores":[{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.8484","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.84863","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.84867","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.84862","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.84851","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02232","scoring_system":"epss","scoring_elements":"0.84865","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022046","reference_id":"1022046","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022046"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2137423","reference_id":"2137423","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2137423"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2319","reference_id":"RHSA-2023:2319","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2319"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2859","reference_id":"RHSA-2023:2859","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2859"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://usn.ubuntu.com/5686-1/","reference_id":"USN-5686-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-1/"},{"reference_url":"https://usn.ubuntu.com/5686-2/","reference_id":"USN-5686-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-2/"},{"reference_url":"https://usn.ubuntu.com/5686-3/","reference_id":"USN-5686-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96461?format=json","purl":"pkg:deb/debian/git@1:2.38.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.38.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-39260"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3eya-4jk6-nuf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70318?format=json","vulnerability_id":"VCID-3gjt-6jab-8ubp","summary":"In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\\mingw64\\share\\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\\` (and since `C:\\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.  This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\\`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25815.json","reference_id":"","reference_type":"","scores":[{"value":"2.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25815.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25815","reference_id":"","reference_type":"","scores":[{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27128","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27193","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27139","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27099","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.2705","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27058","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25815"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835","reference_id":"1034835","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337","reference_id":"2188337","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3192","reference_id":"RHSA-2023:3192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3243","reference_id":"RHSA-2023:3243","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3243"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3245","reference_id":"RHSA-2023:3245","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3245"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3246","reference_id":"RHSA-2023:3246","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3247","reference_id":"RHSA-2023:3247","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3247"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3248","reference_id":"RHSA-2023:3248","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3248"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3280","reference_id":"RHSA-2023:3280","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3280"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3382","reference_id":"RHSA-2023:3382","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3382"},{"reference_url":"https://usn.ubuntu.com/6050-1/","reference_id":"USN-6050-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6050-1/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96464?format=json","purl":"pkg:deb/debian/git@1:2.40.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.40.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2023-25815"],"risk_score":1.0,"exploitability":"0.5","weighted_severity":"2.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3gjt-6jab-8ubp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6571?format=json","vulnerability_id":"VCID-4q6k-q42y-e3by","summary":"access restriction bypass","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-8386.json","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-8386.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-8386","reference_id":"","reference_type":"","scores":[{"value":"0.71499","scoring_system":"epss","scoring_elements":"0.98745","published_at":"2026-06-08T12:55:00Z"},{"value":"0.71499","scoring_system":"epss","scoring_elements":"0.98746","published_at":"2026-06-05T12:55:00Z"},{"value":"0.71499","scoring_system":"epss","scoring_elements":"0.98744","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-8386"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1450407","reference_id":"1450407","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1450407"},{"reference_url":"https://security.archlinux.org/ASA-201705-14","reference_id":"ASA-201705-14","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201705-14"},{"reference_url":"https://security.archlinux.org/AVG-267","reference_id":"AVG-267","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-267"},{"reference_url":"https://security.gentoo.org/glsa/201706-04","reference_id":"GLSA-201706-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201706-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2004","reference_id":"RHSA-2017:2004","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2004"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2491","reference_id":"RHSA-2017:2491","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2491"},{"reference_url":"https://usn.ubuntu.com/3287-1/","reference_id":"USN-3287-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3287-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96444?format=json","purl":"pkg:deb/debian/git@1:2.11.0-3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.11.0-3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2017-8386"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4q6k-q42y-e3by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62467?format=json","vulnerability_id":"VCID-4vmk-t5v6-2yb1","summary":"revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2315.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2315.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2315","reference_id":"","reference_type":"","scores":[{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95228","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95235","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95237","published_at":"2026-06-06T12:55:00Z"},{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95239","published_at":"2026-06-07T12:55:00Z"},{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95238","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17652","scoring_system":"epss","scoring_elements":"0.95241","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2315"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1317981","reference_id":"1317981","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1317981"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818318","reference_id":"818318","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818318"},{"reference_url":"https://security.gentoo.org/glsa/201605-01","reference_id":"GLSA-201605-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201605-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0496","reference_id":"RHSA-2016:0496","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0496"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0497","reference_id":"RHSA-2016:0497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0497"},{"reference_url":"https://usn.ubuntu.com/2938-1/","reference_id":"USN-2938-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2938-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96439?format=json","purl":"pkg:deb/debian/git@1:2.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.7.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2016-2315"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4vmk-t5v6-2yb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70274?format=json","vulnerability_id":"VCID-59kr-fu74-dkcv","summary":"Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-19486.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-19486.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-19486","reference_id":"","reference_type":"","scores":[{"value":"0.00528","scoring_system":"epss","scoring_elements":"0.67534","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00557","scoring_system":"epss","scoring_elements":"0.68572","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00557","scoring_system":"epss","scoring_elements":"0.6858","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00557","scoring_system":"epss","scoring_elements":"0.68573","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00557","scoring_system":"epss","scoring_elements":"0.68558","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00557","scoring_system":"epss","scoring_elements":"0.6853","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-19486"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19486","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19486"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1653143","reference_id":"1653143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1653143"},{"reference_url":"https://security.gentoo.org/glsa/201904-13","reference_id":"GLSA-201904-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201904-13"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3800","reference_id":"RHSA-2018:3800","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3800"},{"reference_url":"https://usn.ubuntu.com/3829-1/","reference_id":"USN-3829-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3829-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96447?format=json","purl":"pkg:deb/debian/git@1:2.19.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.19.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2018-19486"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-59kr-fu74-dkcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70266?format=json","vulnerability_id":"VCID-5ey8-b4bv-d7da","summary":"The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7545.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7545.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7545","reference_id":"","reference_type":"","scores":[{"value":"0.31254","scoring_system":"epss","scoring_elements":"0.96859","published_at":"2026-06-04T12:55:00Z"},{"value":"0.31254","scoring_system":"epss","scoring_elements":"0.96863","published_at":"2026-06-05T12:55:00Z"},{"value":"0.31254","scoring_system":"epss","scoring_elements":"0.96868","published_at":"2026-06-07T12:55:00Z"},{"value":"0.31254","scoring_system":"epss","scoring_elements":"0.96867","published_at":"2026-06-08T12:55:00Z"},{"value":"0.31254","scoring_system":"epss","scoring_elements":"0.96872","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7545"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7545","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7545"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1269794","reference_id":"1269794","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1269794"},{"reference_url":"https://security.gentoo.org/glsa/201605-01","reference_id":"GLSA-201605-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201605-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:2515","reference_id":"RHSA-2015:2515","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:2515"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:2561","reference_id":"RHSA-2015:2561","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:2561"},{"reference_url":"https://usn.ubuntu.com/2835-1/","reference_id":"USN-2835-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2835-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96438?format=json","purl":"pkg:deb/debian/git@1:2.6.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.6.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2015-7545"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ey8-b4bv-d7da"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35507?format=json","vulnerability_id":"VCID-6an9-ych8-zqcy","summary":"Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.","references":[{"reference_url":"http://article.gmane.org/gmane.linux.kernel/1853266","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://article.gmane.org/gmane.linux.kernel/1853266"},{"reference_url":"http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html"},{"reference_url":"http://mercurial.selenic.com/wiki/WhatsNew","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://mercurial.selenic.com/wiki/WhatsNew"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9390.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9390.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9390","reference_id":"","reference_type":"","scores":[{"value":"0.77155","scoring_system":"epss","scoring_elements":"0.98989","published_at":"2026-06-09T12:55:00Z"},{"value":"0.77155","scoring_system":"epss","scoring_elements":"0.98993","published_at":"2026-06-06T12:55:00Z"},{"value":"0.77155","scoring_system":"epss","scoring_elements":"0.9899","published_at":"2026-06-08T12:55:00Z"},{"value":"0.77155","scoring_system":"epss","scoring_elements":"0.98991","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9390"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390"},{"reference_url":"http://securitytracker.com/id?1031404","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://securitytracker.com/id?1031404"},{"reference_url":"https://github.com/blog/1938-git-client-vulnerability-announced","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/blog/1938-git-client-vulnerability-announced"},{"reference_url":"https://github.com/blog/1938-vulnerability-announced-update-your-git-clients","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/blog/1938-vulnerability-announced-update-your-git-clients"},{"reference_url":"https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915"},{"reference_url":"https://github.com/libgit2/libgit2/releases/tag/v0.21.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/libgit2/libgit2/releases/tag/v0.21.3"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml"},{"reference_url":"https://libgit2.org/security","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://libgit2.org/security"},{"reference_url":"https://libgit2.org/security/","reference_id":"","reference_type":"","scores":[],"url":"https://libgit2.org/security/"},{"reference_url":"https://news.ycombinator.com/item?id=8769667","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://news.ycombinator.com/item?id=8769667"},{"reference_url":"https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3"},{"reference_url":"http://support.apple.com/kb/HT204147","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.apple.com/kb/HT204147"},{"reference_url":"https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1175960","reference_id":"1175960","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1175960"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773640","reference_id":"773640","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773640"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774048","reference_id":"774048","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774048"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774050","reference_id":"774050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774050"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-9390","reference_id":"CVE-2014-9390","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-9390"},{"reference_url":"https://github.com/advisories/GHSA-6vvc-c2m3-cjf3","reference_id":"GHSA-6vvc-c2m3-cjf3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6vvc-c2m3-cjf3"},{"reference_url":"https://security.gentoo.org/glsa/201509-06","reference_id":"GLSA-201509-06","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201509-06"},{"reference_url":"https://usn.ubuntu.com/2470-1/","reference_id":"USN-2470-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2470-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96436?format=json","purl":"pkg:deb/debian/git@1:2.1.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.1.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2014-9390","GHSA-6vvc-c2m3-cjf3","PYSEC-2020-217"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6an9-ych8-zqcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70293?format=json","vulnerability_id":"VCID-6h2q-p5km-rkbc","summary":"git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-40330.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-40330.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-40330","reference_id":"","reference_type":"","scores":[{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67822","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67862","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67869","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67857","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67844","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00536","scoring_system":"epss","scoring_elements":"0.67859","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-40330"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40330","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40330"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1999755","reference_id":"1999755","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1999755"},{"reference_url":"https://usn.ubuntu.com/5076-1/","reference_id":"USN-5076-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5076-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96455?format=json","purl":"pkg:deb/debian/git@1:2.30.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2021-40330"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6h2q-p5km-rkbc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70269?format=json","vulnerability_id":"VCID-6th5-k8t1-kqa8","summary":"Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-14867.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-14867.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-14867","reference_id":"","reference_type":"","scores":[{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91288","published_at":"2026-06-04T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91309","published_at":"2026-06-09T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91298","published_at":"2026-06-07T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91294","published_at":"2026-06-08T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91301","published_at":"2026-06-05T12:55:00Z"},{"value":"0.06534","scoring_system":"epss","scoring_elements":"0.91302","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-14867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:N/C:C/I:C/A:C"},{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1496344","reference_id":"1496344","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1496344"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854","reference_id":"876854","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854"},{"reference_url":"https://usn.ubuntu.com/3438-1/","reference_id":"USN-3438-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3438-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96442?format=json","purl":"pkg:deb/debian/git@1:2.14.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.14.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2017-14867"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6th5-k8t1-kqa8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70341?format=json","vulnerability_id":"VCID-7b54-2124-wudx","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-50349.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-50349.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50349","reference_id":"","reference_type":"","scores":[{"value":"0.02784","scoring_system":"epss","scoring_elements":"0.86363","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02784","scoring_system":"epss","scoring_elements":"0.86364","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02784","scoring_system":"epss","scoring_elements":"0.86366","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02784","scoring_system":"epss","scoring_elements":"0.86362","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02784","scoring_system":"epss","scoring_elements":"0.8635","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50349"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093042","reference_id":"1093042","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093042"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2337824","reference_id":"2337824","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2337824"},{"reference_url":"https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8","reference_id":"7725b8100ffbbff2750ee4d61a0fcc1f53a086e8","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:22:40Z/"}],"url":"https://github.com/git/git/commit/7725b8100ffbbff2750ee4d61a0fcc1f53a086e8"},{"reference_url":"https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577","reference_id":"c903985bf7e772e2d08275c1a95c8a55ab011577","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:22:40Z/"}],"url":"https://github.com/git/git/commit/c903985bf7e772e2d08275c1a95c8a55ab011577"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr","reference_id":"GHSA-hmg8-h7qf-7cxr","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:22:40Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19601","reference_id":"RHSA-2025:19601","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19601"},{"reference_url":"https://usn.ubuntu.com/7207-1/","reference_id":"USN-7207-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7207-1/"},{"reference_url":"https://usn.ubuntu.com/7207-2/","reference_id":"USN-7207-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7207-2/"},{"reference_url":"https://usn.ubuntu.com/7964-1/","reference_id":"USN-7964-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7964-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96469?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u4?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96467?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96471?format=json","purl":"pkg:deb/debian/git@1:2.47.2-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.2-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-50349"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7b54-2124-wudx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70298?format=json","vulnerability_id":"VCID-7skw-rc62-gbdt","summary":"Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39253.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39253.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39253","reference_id":"","reference_type":"","scores":[{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85845","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85867","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85868","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85865","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85849","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02579","scoring_system":"epss","scoring_elements":"0.85863","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022046","reference_id":"1022046","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022046"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2137422","reference_id":"2137422","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2137422"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2319","reference_id":"RHSA-2023:2319","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2319"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2859","reference_id":"RHSA-2023:2859","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2859"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://usn.ubuntu.com/5686-1/","reference_id":"USN-5686-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-1/"},{"reference_url":"https://usn.ubuntu.com/5686-3/","reference_id":"USN-5686-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-3/"},{"reference_url":"https://usn.ubuntu.com/5686-4/","reference_id":"USN-5686-4","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5686-4/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96461?format=json","purl":"pkg:deb/debian/git@1:2.38.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.38.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-39253"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7skw-rc62-gbdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6000?format=json","vulnerability_id":"VCID-8pmu-3e8x-xbaz","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1350.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1350.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1350","reference_id":"","reference_type":"","scores":[{"value":"0.2462","scoring_system":"epss","scoring_elements":"0.96231","published_at":"2026-06-04T12:55:00Z"},{"value":"0.2462","scoring_system":"epss","scoring_elements":"0.96236","published_at":"2026-06-05T12:55:00Z"},{"value":"0.2462","scoring_system":"epss","scoring_elements":"0.96238","published_at":"2026-06-08T12:55:00Z"},{"value":"0.2462","scoring_system":"epss","scoring_elements":"0.96239","published_at":"2026-06-07T12:55:00Z"},{"value":"0.2462","scoring_system":"epss","scoring_elements":"0.96244","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1350"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781958","reference_id":"1781958","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781958"},{"reference_url":"https://security.archlinux.org/AVG-1074","reference_id":"AVG-1074","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1074"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://security.gentoo.org/glsa/202003-42","reference_id":"GLSA-202003-42","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-42"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1350"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8pmu-3e8x-xbaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5997?format=json","vulnerability_id":"VCID-8zdm-p1kc-affh","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1354.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1354.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1354","reference_id":"","reference_type":"","scores":[{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95554","published_at":"2026-06-05T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95546","published_at":"2026-06-04T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.9556","published_at":"2026-06-08T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95564","published_at":"2026-06-09T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95558","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1354"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781968","reference_id":"1781968","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781968"},{"reference_url":"https://security.archlinux.org/AVG-1074","reference_id":"AVG-1074","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1074"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1354"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8zdm-p1kc-affh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70308?format=json","vulnerability_id":"VCID-b5ny-wvbt-3qe4","summary":"Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.  A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22490.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22490.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22490","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33556","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33658","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33672","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33637","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33603","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33625","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22490"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031310","reference_id":"1031310","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031310"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160","reference_id":"2168160","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3245","reference_id":"RHSA-2023:3245","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3245"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3246","reference_id":"RHSA-2023:3246","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://usn.ubuntu.com/5871-1/","reference_id":"USN-5871-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5871-1/"},{"reference_url":"https://usn.ubuntu.com/5871-2/","reference_id":"USN-5871-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5871-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96462?format=json","purl":"pkg:deb/debian/git@1:2.39.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2023-22490"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ny-wvbt-3qe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5994?format=json","vulnerability_id":"VCID-bp2e-a3y2-67d6","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1348.json","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1348.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1348","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09365","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09407","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09393","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09333","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09346","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.0939","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781953","reference_id":"1781953","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781953"},{"reference_url":"https://security.archlinux.org/ASA-201912-5","reference_id":"ASA-201912-5","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-5"},{"reference_url":"https://security.archlinux.org/ASA-201912-6","reference_id":"ASA-201912-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-6"},{"reference_url":"https://security.archlinux.org/AVG-1073","reference_id":"AVG-1073","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1073"},{"reference_url":"https://security.archlinux.org/AVG-1075","reference_id":"AVG-1075","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1075"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://security.gentoo.org/glsa/202003-42","reference_id":"GLSA-202003-42","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-42"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:4356","reference_id":"RHSA-2019:4356","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:4356"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0002","reference_id":"RHSA-2020:0002","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0002"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0228","reference_id":"RHSA-2020:0228","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0228"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1348"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bp2e-a3y2-67d6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3577?format=json","vulnerability_id":"VCID-c3c2-5pmr-wbdf","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29187.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29187.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29187","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29169","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.2915","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29171","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29138","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29239","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29206","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014848","reference_id":"1014848","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014848"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107439","reference_id":"2107439","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2107439"},{"reference_url":"https://security.archlinux.org/AVG-2778","reference_id":"AVG-2778","reference_type":"","scores":[{"value":"Unknown","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2778"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://security.gentoo.org/glsa/202401-17","reference_id":"GLSA-202401-17","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202401-17"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2319","reference_id":"RHSA-2023:2319","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2319"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2859","reference_id":"RHSA-2023:2859","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2859"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://usn.ubuntu.com/5511-1/","reference_id":"USN-5511-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5511-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96460?format=json","purl":"pkg:deb/debian/git@1:2.37.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.37.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-29187"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c3c2-5pmr-wbdf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5937?format=json","vulnerability_id":"VCID-ck8y-cu92-e3eb","summary":"information disclosure","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11008.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11008.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11008","reference_id":"","reference_type":"","scores":[{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86578","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86599","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86596","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86586","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86602","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02889","scoring_system":"epss","scoring_elements":"0.86601","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11008"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1826001","reference_id":"1826001","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1826001"},{"reference_url":"https://security.archlinux.org/ASA-202004-21","reference_id":"ASA-202004-21","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202004-21"},{"reference_url":"https://security.archlinux.org/AVG-1138","reference_id":"AVG-1138","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1138"},{"reference_url":"https://security.gentoo.org/glsa/202004-13","reference_id":"GLSA-202004-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202004-13"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1975","reference_id":"RHSA-2020:1975","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1975"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1978","reference_id":"RHSA-2020:1978","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1978"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1979","reference_id":"RHSA-2020:1979","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1979"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1980","reference_id":"RHSA-2020:1980","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1980"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2337","reference_id":"RHSA-2020:2337","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2337"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3581","reference_id":"RHSA-2020:3581","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3581"},{"reference_url":"https://usn.ubuntu.com/4334-1/","reference_id":"USN-4334-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4334-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96451?format=json","purl":"pkg:deb/debian/git@1:2.26.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.26.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2020-11008"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ck8y-cu92-e3eb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5991?format=json","vulnerability_id":"VCID-dtfx-rztk-r7at","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1387.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1387.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1387","reference_id":"","reference_type":"","scores":[{"value":"0.01944","scoring_system":"epss","scoring_elements":"0.83784","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01944","scoring_system":"epss","scoring_elements":"0.83773","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01944","scoring_system":"epss","scoring_elements":"0.83793","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01944","scoring_system":"epss","scoring_elements":"0.83797","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01944","scoring_system":"epss","scoring_elements":"0.83796","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1387"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781127","reference_id":"1781127","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781127"},{"reference_url":"https://security.archlinux.org/ASA-201912-5","reference_id":"ASA-201912-5","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-5"},{"reference_url":"https://security.archlinux.org/ASA-201912-6","reference_id":"ASA-201912-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-6"},{"reference_url":"https://security.archlinux.org/AVG-1073","reference_id":"AVG-1073","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1073"},{"reference_url":"https://security.archlinux.org/AVG-1075","reference_id":"AVG-1075","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1075"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://security.gentoo.org/glsa/202003-42","reference_id":"GLSA-202003-42","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://security.gentoo.org/glsa/202003-42"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html","reference_id":"msg00003.html","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html","reference_id":"msg00019.html","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html","reference_id":"msg00056.html","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/","reference_id":"N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:4356","reference_id":"RHSA-2019:4356","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://access.redhat.com/errata/RHSA-2019:4356"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0002","reference_id":"RHSA-2020:0002","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0002"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0124","reference_id":"RHSA-2020:0124","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0124"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0228","reference_id":"RHSA-2020:0228","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://access.redhat.com/errata/RHSA-2020:0228"},{"reference_url":"https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u","reference_id":"#u","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"},{"reference_url":"https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/","reference_id":"xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-19T18:49:36Z/"}],"url":"https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1387"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dtfx-rztk-r7at"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70294?format=json","vulnerability_id":"VCID-e7hx-a51c-mqe7","summary":"Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23521.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23521.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23521","reference_id":"","reference_type":"","scores":[{"value":"0.09438","scoring_system":"epss","scoring_elements":"0.92959","published_at":"2026-06-08T12:55:00Z"},{"value":"0.09438","scoring_system":"epss","scoring_elements":"0.92962","published_at":"2026-06-07T12:55:00Z"},{"value":"0.09438","scoring_system":"epss","scoring_elements":"0.9297","published_at":"2026-06-09T12:55:00Z"},{"value":"0.09438","scoring_system":"epss","scoring_elements":"0.92966","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029114","reference_id":"1029114","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029114"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2162055","reference_id":"2162055","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2162055"},{"reference_url":"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76","reference_id":"508386c6c5857b4faa2c3e491f422c98cc69ae76","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:25Z/"}],"url":"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89","reference_id":"GHSA-c738-c5qq-xg89","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:25Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:25Z/"}],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0596","reference_id":"RHSA-2023:0596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0596"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0597","reference_id":"RHSA-2023:0597","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0597"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0599","reference_id":"RHSA-2023:0599","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0599"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0609","reference_id":"RHSA-2023:0609","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0609"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0610","reference_id":"RHSA-2023:0610","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0610"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0611","reference_id":"RHSA-2023:0611","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0611"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0627","reference_id":"RHSA-2023:0627","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0627"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0628","reference_id":"RHSA-2023:0628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0978","reference_id":"RHSA-2023:0978","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0978"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1677","reference_id":"RHSA-2023:1677","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1677"},{"reference_url":"https://usn.ubuntu.com/5810-1/","reference_id":"USN-5810-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-1/"},{"reference_url":"https://usn.ubuntu.com/5810-3/","reference_id":"USN-5810-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-3/"},{"reference_url":"https://usn.ubuntu.com/5810-4/","reference_id":"USN-5810-4","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-4/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96456?format=json","purl":"pkg:deb/debian/git@1:2.39.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-23521"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e7hx-a51c-mqe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5996?format=json","vulnerability_id":"VCID-ets7-kzdx-gbhn","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19604.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19604.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19604","reference_id":"","reference_type":"","scores":[{"value":"0.01562","scoring_system":"epss","scoring_elements":"0.81817","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01562","scoring_system":"epss","scoring_elements":"0.81851","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01562","scoring_system":"epss","scoring_elements":"0.81844","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01562","scoring_system":"epss","scoring_elements":"0.8186","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19604"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781971","reference_id":"1781971","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781971"},{"reference_url":"https://security.archlinux.org/ASA-201912-6","reference_id":"ASA-201912-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-6"},{"reference_url":"https://security.archlinux.org/AVG-1073","reference_id":"AVG-1073","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1073"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-19604"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ets7-kzdx-gbhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6235?format=json","vulnerability_id":"VCID-f61x-5h8a-8keb","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-17456.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-17456.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17456","reference_id":"","reference_type":"","scores":[{"value":"0.59226","scoring_system":"epss","scoring_elements":"0.98272","published_at":"2026-06-07T12:55:00Z"},{"value":"0.59226","scoring_system":"epss","scoring_elements":"0.98269","published_at":"2026-06-04T12:55:00Z"},{"value":"0.59226","scoring_system":"epss","scoring_elements":"0.98273","published_at":"2026-06-08T12:55:00Z"},{"value":"0.59226","scoring_system":"epss","scoring_elements":"0.98271","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-17456"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1636619","reference_id":"1636619","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1636619"},{"reference_url":"https://security.archlinux.org/ASA-201810-7","reference_id":"ASA-201810-7","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201810-7"},{"reference_url":"https://security.archlinux.org/AVG-776","reference_id":"AVG-776","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-776"},{"reference_url":"https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6","reference_id":"CVE-2018-17456","reference_type":"exploit","scores":[],"url":"https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/45548.txt","reference_id":"CVE-2018-17456","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/45548.txt"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/45631.md","reference_id":"CVE-2018-17456","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/45631.md"},{"reference_url":"https://marc.info/?l=git&m=153875888916397&w=2","reference_id":"CVE-2018-17456","reference_type":"exploit","scores":[],"url":"https://marc.info/?l=git&m=153875888916397&w=2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3408","reference_id":"RHSA-2018:3408","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3408"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:3541","reference_id":"RHSA-2018:3541","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:3541"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0316","reference_id":"RHSA-2020:0316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0316"},{"reference_url":"https://usn.ubuntu.com/3791-1/","reference_id":"USN-3791-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3791-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96446?format=json","purl":"pkg:deb/debian/git@1:2.19.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.19.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2018-17456"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f61x-5h8a-8keb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70313?format=json","vulnerability_id":"VCID-fqd2-fs8y-sbek","summary":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25652.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25652.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25652","reference_id":"","reference_type":"","scores":[{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87911","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87949","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87932","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87936","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87935","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03559","scoring_system":"epss","scoring_elements":"0.87937","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835","reference_id":"1034835","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835"},{"reference_url":"https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902","reference_id":"18e2b1cfc80990719275d7b08e6e50f3e8cbc902","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/04/25/2","reference_id":"2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333","reference_id":"2188333","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"reference_url":"https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e","reference_id":"668f2d53613ac8fd373926ebe219f2c29112d93e","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/","reference_id":"BSXOGVVBJLYX26IAYX6PJSYQB36BREWH","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx","reference_id":"GHSA-2hvf-7c8p-28fx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/","reference_id":"PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3192","reference_id":"RHSA-2023:3192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3243","reference_id":"RHSA-2023:3243","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3243"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3245","reference_id":"RHSA-2023:3245","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3245"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3246","reference_id":"RHSA-2023:3246","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3247","reference_id":"RHSA-2023:3247","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3247"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3248","reference_id":"RHSA-2023:3248","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3248"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3263","reference_id":"RHSA-2023:3263","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3263"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3280","reference_id":"RHSA-2023:3280","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3280"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3382","reference_id":"RHSA-2023:3382","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3382"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/","reference_id":"RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"reference_url":"https://usn.ubuntu.com/6050-1/","reference_id":"USN-6050-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6050-1/"},{"reference_url":"https://usn.ubuntu.com/6050-2/","reference_id":"USN-6050-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6050-2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/","reference_id":"YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-05T19:56:20Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96464?format=json","purl":"pkg:deb/debian/git@1:2.40.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.40.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2023-25652"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fqd2-fs8y-sbek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70270?format=json","vulnerability_id":"VCID-gbc3-87xn-rue9","summary":"Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15298.json","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15298.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15298","reference_id":"","reference_type":"","scores":[{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63797","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63845","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63838","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63825","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63839","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00446","scoring_system":"epss","scoring_elements":"0.63846","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15298"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:H/Au:N/C:N/I:N/A:P"},{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1510455","reference_id":"1510455","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1510455"},{"reference_url":"https://usn.ubuntu.com/3829-1/","reference_id":"USN-3829-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3829-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96443?format=json","purl":"pkg:deb/debian/git@1:2.16.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.16.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2017-15298"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gbc3-87xn-rue9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4258?format=json","vulnerability_id":"VCID-gfdd-x8j7-abcq","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11233.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11233.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11233","reference_id":"","reference_type":"","scores":[{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54476","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54534","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54512","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54543","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54533","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11233"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1583888","reference_id":"1583888","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1583888"},{"reference_url":"https://security.archlinux.org/ASA-201806-1","reference_id":"ASA-201806-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201806-1"},{"reference_url":"https://security.archlinux.org/AVG-711","reference_id":"AVG-711","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-711"},{"reference_url":"https://security.gentoo.org/glsa/201805-13","reference_id":"GLSA-201805-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201805-13"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2147","reference_id":"RHSA-2018:2147","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2147"},{"reference_url":"https://usn.ubuntu.com/3671-1/","reference_id":"USN-3671-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3671-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96445?format=json","purl":"pkg:deb/debian/git@1:2.17.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.17.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2018-11233"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gfdd-x8j7-abcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70322?format=json","vulnerability_id":"VCID-hb9a-8vat-affq","summary":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29007.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29007.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29007","reference_id":"","reference_type":"","scores":[{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70382","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70391","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70384","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70373","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70361","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29007"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835","reference_id":"1034835","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034835"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338","reference_id":"2188338","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3192","reference_id":"RHSA-2023:3192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3243","reference_id":"RHSA-2023:3243","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3243"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3245","reference_id":"RHSA-2023:3245","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3245"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3246","reference_id":"RHSA-2023:3246","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3247","reference_id":"RHSA-2023:3247","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3247"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3248","reference_id":"RHSA-2023:3248","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3248"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3263","reference_id":"RHSA-2023:3263","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3263"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3280","reference_id":"RHSA-2023:3280","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3280"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3382","reference_id":"RHSA-2023:3382","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3382"},{"reference_url":"https://usn.ubuntu.com/6050-1/","reference_id":"USN-6050-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6050-1/"},{"reference_url":"https://usn.ubuntu.com/6050-2/","reference_id":"USN-6050-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6050-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96464?format=json","purl":"pkg:deb/debian/git@1:2.40.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.40.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2023-29007"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hb9a-8vat-affq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4257?format=json","vulnerability_id":"VCID-hta3-stk3-87ev","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11235.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11235.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11235","reference_id":"","reference_type":"","scores":[{"value":"0.4172","scoring_system":"epss","scoring_elements":"0.97501","published_at":"2026-06-08T12:55:00Z"},{"value":"0.4172","scoring_system":"epss","scoring_elements":"0.97494","published_at":"2026-06-04T12:55:00Z"},{"value":"0.4172","scoring_system":"epss","scoring_elements":"0.97502","published_at":"2026-06-09T12:55:00Z"},{"value":"0.4172","scoring_system":"epss","scoring_elements":"0.975","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11235"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1583862","reference_id":"1583862","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1583862"},{"reference_url":"https://security.archlinux.org/ASA-201806-1","reference_id":"ASA-201806-1","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201806-1"},{"reference_url":"https://security.archlinux.org/AVG-711","reference_id":"AVG-711","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-711"},{"reference_url":"https://security.gentoo.org/glsa/201805-13","reference_id":"GLSA-201805-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201805-13"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1957","reference_id":"RHSA-2018:1957","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:1957"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2147","reference_id":"RHSA-2018:2147","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2147"},{"reference_url":"https://usn.ubuntu.com/3671-1/","reference_id":"USN-3671-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3671-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96445?format=json","purl":"pkg:deb/debian/git@1:2.17.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.17.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2018-11235"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hta3-stk3-87ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5943?format=json","vulnerability_id":"VCID-kw67-dcmu-vqf8","summary":"information disclosure","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5260.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5260.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5260","reference_id":"","reference_type":"","scores":[{"value":"0.373","scoring_system":"epss","scoring_elements":"0.97261","published_at":"2026-06-06T12:55:00Z"},{"value":"0.373","scoring_system":"epss","scoring_elements":"0.97256","published_at":"2026-06-04T12:55:00Z"},{"value":"0.373","scoring_system":"epss","scoring_elements":"0.97263","published_at":"2026-06-09T12:55:00Z"},{"value":"0.373","scoring_system":"epss","scoring_elements":"0.9726","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1822020","reference_id":"1822020","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1822020"},{"reference_url":"https://security.archlinux.org/ASA-202004-13","reference_id":"ASA-202004-13","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202004-13"},{"reference_url":"https://security.archlinux.org/AVG-1133","reference_id":"AVG-1133","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1133"},{"reference_url":"https://security.gentoo.org/glsa/202004-13","reference_id":"GLSA-202004-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202004-13"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1503","reference_id":"RHSA-2020:1503","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1503"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1511","reference_id":"RHSA-2020:1511","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1511"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1513","reference_id":"RHSA-2020:1513","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1513"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1518","reference_id":"RHSA-2020:1518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3581","reference_id":"RHSA-2020:3581","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3581"},{"reference_url":"https://usn.ubuntu.com/4329-1/","reference_id":"USN-4329-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4329-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96452?format=json","purl":"pkg:deb/debian/git@1:2.26.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.26.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2020-5260"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kw67-dcmu-vqf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70291?format=json","vulnerability_id":"VCID-m7wd-gyvy-eudm","summary":"Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21300.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-21300.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21300","reference_id":"","reference_type":"","scores":[{"value":"0.58284","scoring_system":"epss","scoring_elements":"0.98227","published_at":"2026-06-09T12:55:00Z"},{"value":"0.58284","scoring_system":"epss","scoring_elements":"0.98229","published_at":"2026-06-08T12:55:00Z"},{"value":"0.61881","scoring_system":"epss","scoring_elements":"0.98365","published_at":"2026-06-05T12:55:00Z"},{"value":"0.61881","scoring_system":"epss","scoring_elements":"0.98367","published_at":"2026-06-07T12:55:00Z"},{"value":"0.61881","scoring_system":"epss","scoring_elements":"0.98362","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21300"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1935158","reference_id":"1935158","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1935158"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985120","reference_id":"985120","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985120"},{"reference_url":"https://security.archlinux.org/ASA-202103-3","reference_id":"ASA-202103-3","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202103-3"},{"reference_url":"https://security.archlinux.org/AVG-1665","reference_id":"AVG-1665","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1665"},{"reference_url":"https://security.gentoo.org/glsa/202104-01","reference_id":"GLSA-202104-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202104-01"},{"reference_url":"https://usn.ubuntu.com/4761-1/","reference_id":"USN-4761-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4761-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96453?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2021-21300"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m7wd-gyvy-eudm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70305?format=json","vulnerability_id":"VCID-mef4-vsrh-nkb9","summary":"Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41903.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41903.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41903","reference_id":"","reference_type":"","scores":[{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95254","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95269","published_at":"2026-06-09T12:55:00Z"},{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95261","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95263","published_at":"2026-06-06T12:55:00Z"},{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95266","published_at":"2026-06-07T12:55:00Z"},{"value":"0.17802","scoring_system":"epss","scoring_elements":"0.95265","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41903"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029114","reference_id":"1029114","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029114"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2162056","reference_id":"2162056","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2162056"},{"reference_url":"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76","reference_id":"508386c6c5857b4faa2c3e491f422c98cc69ae76","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:59:12Z/"}],"url":"https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76"},{"reference_url":"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst","reference_id":"Customizing-Git-Git-Attributes#_export_subst","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:59:12Z/"}],"url":"https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq","reference_id":"GHSA-475x-2q3q-hvwq","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:59:12Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:59:12Z/"}],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem","reference_id":"pretty-formats.txt-emltltNgttruncltruncmtruncem","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:59:12Z/"}],"url":"https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0596","reference_id":"RHSA-2023:0596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0596"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0597","reference_id":"RHSA-2023:0597","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0597"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0599","reference_id":"RHSA-2023:0599","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0599"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0609","reference_id":"RHSA-2023:0609","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0609"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0610","reference_id":"RHSA-2023:0610","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0610"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0611","reference_id":"RHSA-2023:0611","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0611"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0627","reference_id":"RHSA-2023:0627","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0627"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0628","reference_id":"RHSA-2023:0628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0978","reference_id":"RHSA-2023:0978","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0978"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1677","reference_id":"RHSA-2023:1677","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1677"},{"reference_url":"https://usn.ubuntu.com/5810-1/","reference_id":"USN-5810-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-1/"},{"reference_url":"https://usn.ubuntu.com/5810-3/","reference_id":"USN-5810-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-3/"},{"reference_url":"https://usn.ubuntu.com/5810-4/","reference_id":"USN-5810-4","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5810-4/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96456?format=json","purl":"pkg:deb/debian/git@1:2.39.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-41903"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mef4-vsrh-nkb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5998?format=json","vulnerability_id":"VCID-n2vf-p6js-xbdd","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1353.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1353.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1353","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31812","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31883","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31851","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31813","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3178","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31804","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781966","reference_id":"1781966","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781966"},{"reference_url":"https://security.archlinux.org/AVG-1074","reference_id":"AVG-1074","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1074"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1353"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n2vf-p6js-xbdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/6863?format=json","vulnerability_id":"VCID-nr4h-yth7-t7dm","summary":"arbitrary command execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24765.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24765.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24765","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37699","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37737","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37793","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37763","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37725","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37791","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2073414","reference_id":"2073414","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2073414"},{"reference_url":"http://seclists.org/fulldisclosure/2022/May/31","reference_id":"31","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"http://seclists.org/fulldisclosure/2022/May/31"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/","reference_id":"5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/04/12/7","reference_id":"7","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/04/12/7"},{"reference_url":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash","reference_id":"Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash"},{"reference_url":"https://security.archlinux.org/AVG-2679","reference_id":"AVG-2679","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2679"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/","reference_id":"BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/","reference_id":"DDI325LOO2XBDDKLINOAQJEG6MHAURZE","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/","reference_id":"DIKWISWUDFT2FAITYIA6372BVLH3OOOC","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/"},{"reference_url":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode","reference_id":"git.txt-codeGITCEILINGDIRECTORIEScode","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://support.apple.com/kb/HT213261","reference_id":"HT213261","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://support.apple.com/kb/HT213261"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/","reference_id":"HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html","reference_id":"msg00025.html","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2319","reference_id":"RHSA-2023:2319","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2319"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2859","reference_id":"RHSA-2023:2859","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2859"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/","reference_id":"SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/","reference_id":"TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/","reference_id":"UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/"},{"reference_url":"https://usn.ubuntu.com/5376-1/","reference_id":"USN-5376-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5376-1/"},{"reference_url":"https://usn.ubuntu.com/5376-2/","reference_id":"USN-5376-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5376-2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/","reference_id":"YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-16T17:47:32Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96457?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96458?format=json","purl":"pkg:deb/debian/git@1:2.35.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.35.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-24765"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nr4h-yth7-t7dm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70364?format=json","vulnerability_id":"VCID-nz82-astn-jfd6","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48386.json","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48386.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48386","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07448","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07505","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07483","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07498","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48386"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378807","reference_id":"2378807","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2378807"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr","reference_id":"GHSA-4v56-3xvj-xvfr","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T18:46:25Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96435?format=json","purl":"pkg:deb/debian/git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-48386"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nz82-astn-jfd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5993?format=json","vulnerability_id":"VCID-p8mz-vdzw-f7gn","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1349.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1349.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1349","reference_id":"","reference_type":"","scores":[{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95564","published_at":"2026-06-09T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95558","published_at":"2026-06-06T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.9556","published_at":"2026-06-08T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95546","published_at":"2026-06-04T12:55:00Z"},{"value":"0.19687","scoring_system":"epss","scoring_elements":"0.95554","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781143","reference_id":"1781143","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781143"},{"reference_url":"https://security.archlinux.org/ASA-201912-5","reference_id":"ASA-201912-5","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-5"},{"reference_url":"https://security.archlinux.org/ASA-201912-6","reference_id":"ASA-201912-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-6"},{"reference_url":"https://security.archlinux.org/AVG-1073","reference_id":"AVG-1073","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1073"},{"reference_url":"https://security.archlinux.org/AVG-1075","reference_id":"AVG-1075","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1075"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:4356","reference_id":"RHSA-2019:4356","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:4356"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0002","reference_id":"RHSA-2020:0002","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0002"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0228","reference_id":"RHSA-2020:0228","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0228"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1349"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p8mz-vdzw-f7gn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70263?format=json","vulnerability_id":"VCID-pme7-rwv7-y7az","summary":"contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9938.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9938","reference_id":"","reference_type":"","scores":[{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73506","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73542","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73521","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73547","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73534","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-9938"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9938","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9938"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1434415","reference_id":"1434415","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1434415"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2004","reference_id":"RHSA-2017:2004","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2004"},{"reference_url":"https://usn.ubuntu.com/3243-1/","reference_id":"USN-3243-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3243-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96437?format=json","purl":"pkg:deb/debian/git@1:2.0.0~rc2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.0.0~rc2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2014-9938"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pme7-rwv7-y7az"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70326?format=json","vulnerability_id":"VCID-puvd-jdbs-bqef","summary":"Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32002.json","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32002.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32002","reference_id":"","reference_type":"","scores":[{"value":"0.82474","scoring_system":"epss","scoring_elements":"0.99252","published_at":"2026-06-09T12:55:00Z"},{"value":"0.82951","scoring_system":"epss","scoring_elements":"0.99271","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32002"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160","reference_id":"1071160","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","reference_id":"2","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280421","reference_id":"2280421","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280421"},{"reference_url":"https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d","reference_id":"97065761333fd62db1912d81b489db938d8c991d","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv","reference_id":"GHSA-8h77-4q3w-gfgv","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv"},{"reference_url":"https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt","reference_id":"git-clone.txt---recurse-submodulesltpathspecgt","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt"},{"reference_url":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks","reference_id":"git-config.txt-coresymlinks","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4083","reference_id":"RHSA-2024:4083","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4083"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4084","reference_id":"RHSA-2024:4084","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4084"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4368","reference_id":"RHSA-2024:4368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4368"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4579","reference_id":"RHSA-2024:4579","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4579"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6027","reference_id":"RHSA-2024:6027","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6027"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6028","reference_id":"RHSA-2024:6028","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6028"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6610","reference_id":"RHSA-2024:6610","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6610"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","reference_id":"S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-29T14:18:00Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"},{"reference_url":"https://usn.ubuntu.com/6793-1/","reference_id":"USN-6793-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-1/"},{"reference_url":"https://usn.ubuntu.com/6793-2/","reference_id":"USN-6793-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-2/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96465?format=json","purl":"pkg:deb/debian/git@1:2.45.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.45.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-32002"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-puvd-jdbs-bqef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5999?format=json","vulnerability_id":"VCID-qcr6-k6mp-j7b6","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1351.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1351.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1351","reference_id":"","reference_type":"","scores":[{"value":"0.17105","scoring_system":"epss","scoring_elements":"0.95124","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17105","scoring_system":"epss","scoring_elements":"0.95133","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17105","scoring_system":"epss","scoring_elements":"0.95134","published_at":"2026-06-06T12:55:00Z"},{"value":"0.17105","scoring_system":"epss","scoring_elements":"0.95135","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17105","scoring_system":"epss","scoring_elements":"0.95139","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1351"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781960","reference_id":"1781960","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781960"},{"reference_url":"https://security.archlinux.org/AVG-1074","reference_id":"AVG-1074","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1074"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1351"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qcr6-k6mp-j7b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70310?format=json","vulnerability_id":"VCID-qf3z-rq9t-rbcy","summary":"Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23946.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23946.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23946","reference_id":"","reference_type":"","scores":[{"value":"0.01625","scoring_system":"epss","scoring_elements":"0.82197","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01625","scoring_system":"epss","scoring_elements":"0.82226","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01674","scoring_system":"epss","scoring_elements":"0.82501","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01674","scoring_system":"epss","scoring_elements":"0.82514","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01674","scoring_system":"epss","scoring_elements":"0.82511","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01674","scoring_system":"epss","scoring_elements":"0.82508","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23946"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031310","reference_id":"1031310","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031310"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161","reference_id":"2168161","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"reference_url":"https://security.gentoo.org/glsa/202312-15","reference_id":"GLSA-202312-15","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202312-15"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3245","reference_id":"RHSA-2023:3245","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3245"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3246","reference_id":"RHSA-2023:3246","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0407","reference_id":"RHSA-2024:0407","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0407"},{"reference_url":"https://usn.ubuntu.com/5871-1/","reference_id":"USN-5871-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5871-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96462?format=json","purl":"pkg:deb/debian/git@1:2.39.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2023-23946"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qf3z-rq9t-rbcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70356?format=json","vulnerability_id":"VCID-qrkj-vx62-8bbf","summary":"Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46835.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46835.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46835","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08915","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.116","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11482","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11563","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11596","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46835"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46835","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46835"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983","reference_id":"1108983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379326","reference_id":"2379326","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379326"},{"reference_url":"https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da","reference_id":"dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:53:11Z/"}],"url":"https://github.com/j6t/git-gui/compare/dcda716dbc9c90bcac4611bd1076747671ee0906..a437f5bc93330a70b42a230e52f3bd036ca1b1da"},{"reference_url":"https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg","reference_id":"GHSA-xfx7-68v4-v8fg","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-10T15:53:11Z/"}],"url":"https://github.com/j6t/git-gui/security/advisories/GHSA-xfx7-68v4-v8fg"},{"reference_url":"https://security.gentoo.org/glsa/202507-09","reference_id":"GLSA-202507-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202507-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://usn.ubuntu.com/7626-1/","reference_id":"USN-7626-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7626-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96472?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u5%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96473?format=json","purl":"pkg:deb/debian/git@1:2.50.1-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.50.1-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2025-46835"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrkj-vx62-8bbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62468?format=json","vulnerability_id":"VCID-r6mn-m4dz-2yhp","summary":"Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2324.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2324.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2324","reference_id":"","reference_type":"","scores":[{"value":"0.2205","scoring_system":"epss","scoring_elements":"0.95889","published_at":"2026-06-04T12:55:00Z"},{"value":"0.2205","scoring_system":"epss","scoring_elements":"0.95893","published_at":"2026-06-05T12:55:00Z"},{"value":"0.2205","scoring_system":"epss","scoring_elements":"0.95897","published_at":"2026-06-08T12:55:00Z"},{"value":"0.2205","scoring_system":"epss","scoring_elements":"0.95903","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2324"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1317981","reference_id":"1317981","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1317981"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818318","reference_id":"818318","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818318"},{"reference_url":"https://security.gentoo.org/glsa/201605-01","reference_id":"GLSA-201605-01","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201605-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0496","reference_id":"RHSA-2016:0496","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0496"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:0497","reference_id":"RHSA-2016:0497","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:0497"},{"reference_url":"https://usn.ubuntu.com/2938-1/","reference_id":"USN-2938-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2938-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96440?format=json","purl":"pkg:deb/debian/git@1:2.8.0~rc3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.8.0~rc3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2016-2324"],"risk_score":1.7,"exploitability":"0.5","weighted_severity":"3.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r6mn-m4dz-2yhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4407?format=json","vulnerability_id":"VCID-s2ss-49w8-rufd","summary":"arbitrary command execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000117.json","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000117.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000117","reference_id":"","reference_type":"","scores":[{"value":"0.70245","scoring_system":"epss","scoring_elements":"0.98699","published_at":"2026-06-09T12:55:00Z"},{"value":"0.70245","scoring_system":"epss","scoring_elements":"0.98698","published_at":"2026-06-04T12:55:00Z"},{"value":"0.70245","scoring_system":"epss","scoring_elements":"0.987","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000117"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:H/Au:N/C:P/I:P/A:P"},{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1480386","reference_id":"1480386","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1480386"},{"reference_url":"https://security.archlinux.org/ASA-201708-6","reference_id":"ASA-201708-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201708-6"},{"reference_url":"https://security.archlinux.org/AVG-377","reference_id":"AVG-377","reference_type":"","scores":[{"value":"Critical","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-377"},{"reference_url":"https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb","reference_id":"CVE-2017-1000117","reference_type":"exploit","scores":[],"url":"https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/42599.rb","reference_id":"CVE-2017-1000117","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/42599.rb"},{"reference_url":"https://security.gentoo.org/glsa/201709-10","reference_id":"GLSA-201709-10","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201709-10"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2484","reference_id":"RHSA-2017:2484","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2484"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2485","reference_id":"RHSA-2017:2485","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2485"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2491","reference_id":"RHSA-2017:2491","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2491"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:2674","reference_id":"RHSA-2017:2674","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:2674"},{"reference_url":"https://usn.ubuntu.com/3387-1/","reference_id":"USN-3387-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3387-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96441?format=json","purl":"pkg:deb/debian/git@1:2.14.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.14.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2017-1000117"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s2ss-49w8-rufd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70344?format=json","vulnerability_id":"VCID-txbr-22uc-hybf","summary":"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52006.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52006.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52006","reference_id":"","reference_type":"","scores":[{"value":"0.03365","scoring_system":"epss","scoring_elements":"0.87603","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03365","scoring_system":"epss","scoring_elements":"0.87593","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03365","scoring_system":"epss","scoring_elements":"0.87592","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03365","scoring_system":"epss","scoring_elements":"0.87591","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52006"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52006","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52006"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093042","reference_id":"1093042","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093042"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2337956","reference_id":"2337956","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2337956"},{"reference_url":"https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060","reference_id":"b01b9b81d36759cdcd07305e78765199e1bc2060","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:52:03Z/"}],"url":"https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060"},{"reference_url":"https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g","reference_id":"GHSA-86c2-4x57-wc8g","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:52:03Z/"}],"url":"https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q","reference_id":"GHSA-qm7j-c969-7j4q","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:52:03Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp","reference_id":"GHSA-r5ph-xg7q-xfrp","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:52:03Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11462","reference_id":"RHSA-2025:11462","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11462"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11533","reference_id":"RHSA-2025:11533","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11533"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:11534","reference_id":"RHSA-2025:11534","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:11534"},{"reference_url":"https://usn.ubuntu.com/7207-1/","reference_id":"USN-7207-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7207-1/"},{"reference_url":"https://usn.ubuntu.com/7207-2/","reference_id":"USN-7207-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7207-2/"},{"reference_url":"https://usn.ubuntu.com/7964-1/","reference_id":"USN-7964-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7964-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96469?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u4?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96467?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96471?format=json","purl":"pkg:deb/debian/git@1:2.47.2-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.2-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-52006"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txbr-22uc-hybf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5992?format=json","vulnerability_id":"VCID-uzre-pn56-a3az","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1352.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1352.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1352","reference_id":"","reference_type":"","scores":[{"value":"0.07303","scoring_system":"epss","scoring_elements":"0.91839","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07303","scoring_system":"epss","scoring_elements":"0.91827","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07303","scoring_system":"epss","scoring_elements":"0.91824","published_at":"2026-06-08T12:55:00Z"},{"value":"0.07303","scoring_system":"epss","scoring_elements":"0.91812","published_at":"2026-06-04T12:55:00Z"},{"value":"0.07303","scoring_system":"epss","scoring_elements":"0.91825","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781963","reference_id":"1781963","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1781963"},{"reference_url":"https://security.archlinux.org/ASA-201912-5","reference_id":"ASA-201912-5","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-5"},{"reference_url":"https://security.archlinux.org/ASA-201912-6","reference_id":"ASA-201912-6","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-201912-6"},{"reference_url":"https://security.archlinux.org/AVG-1073","reference_id":"AVG-1073","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1073"},{"reference_url":"https://security.archlinux.org/AVG-1075","reference_id":"AVG-1075","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1075"},{"reference_url":"https://security.gentoo.org/glsa/202003-30","reference_id":"GLSA-202003-30","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202003-30"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:4356","reference_id":"RHSA-2019:4356","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2019:4356"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0002","reference_id":"RHSA-2020:0002","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0002"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0228","reference_id":"RHSA-2020:0228","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0228"},{"reference_url":"https://usn.ubuntu.com/4220-1/","reference_id":"USN-4220-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4220-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96448?format=json","purl":"pkg:deb/debian/git@1:2.24.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.24.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2019-1352"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzre-pn56-a3az"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70257?format=json","vulnerability_id":"VCID-xnnp-a2qf-aycn","summary":"Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-3906.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-3906.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3906","reference_id":"","reference_type":"","scores":[{"value":"0.1349","scoring_system":"epss","scoring_elements":"0.94344","published_at":"2026-06-04T12:55:00Z"},{"value":"0.1349","scoring_system":"epss","scoring_elements":"0.94353","published_at":"2026-06-05T12:55:00Z"},{"value":"0.1349","scoring_system":"epss","scoring_elements":"0.94354","published_at":"2026-06-06T12:55:00Z"},{"value":"0.1349","scoring_system":"epss","scoring_elements":"0.94355","published_at":"2026-06-08T12:55:00Z"},{"value":"0.1349","scoring_system":"epss","scoring_elements":"0.9436","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3906"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3906","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3906"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=663609","reference_id":"663609","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=663609"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/cgi/webapps/15744.txt","reference_id":"CVE-2010-3906;OSVDB-69929","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/cgi/webapps/15744.txt"},{"reference_url":"https://access.redhat.com/errata/RHSA-2010:1003","reference_id":"RHSA-2010:1003","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2010:1003"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96431?format=json","purl":"pkg:deb/debian/git@1:1.7.2.3-2.2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:1.7.2.3-2.2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2010-3906"],"risk_score":0.2,"exploitability":"2.0","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xnnp-a2qf-aycn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70339?format=json","vulnerability_id":"VCID-xs7d-8hkz-u3dv","summary":"Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32465.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-32465.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32465","reference_id":"","reference_type":"","scores":[{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35991","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.36049","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.36059","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.36018","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35977","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32465"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32465","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32465"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160","reference_id":"1071160","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/05/14/2","reference_id":"2","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/05/14/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280446","reference_id":"2280446","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2280446"},{"reference_url":"https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7","reference_id":"7b70e9efb18c2cc3f219af399bd384c5801ba1d7","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7"},{"reference_url":"https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4","reference_id":"GHSA-vm9j-46j9-qvq4","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4"},{"reference_url":"https://git-scm.com/docs/git-clone","reference_id":"git-clone","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://git-scm.com/docs/git-clone"},{"reference_url":"https://git-scm.com/docs/git#_security","reference_id":"git#_security","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://git-scm.com/docs/git#_security"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html","reference_id":"msg00018.html","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4083","reference_id":"RHSA-2024:4083","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4083"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4084","reference_id":"RHSA-2024:4084","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4084"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4368","reference_id":"RHSA-2024:4368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4368"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/","reference_id":"S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-15T14:24:08Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/"},{"reference_url":"https://usn.ubuntu.com/6793-1/","reference_id":"USN-6793-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6793-1/"},{"reference_url":"https://usn.ubuntu.com/7023-1/","reference_id":"USN-7023-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7023-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96450?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96463?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96465?format=json","purl":"pkg:deb/debian/git@1:2.45.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.45.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-32465"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xs7d-8hkz-u3dv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70260?format=json","vulnerability_id":"VCID-ydws-8azx-eqfw","summary":"The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0308.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0308.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-0308","reference_id":"","reference_type":"","scores":[{"value":"0.01204","scoring_system":"epss","scoring_elements":"0.79269","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01204","scoring_system":"epss","scoring_elements":"0.79295","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01488","scoring_system":"epss","scoring_elements":"0.81407","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01488","scoring_system":"epss","scoring_elements":"0.81405","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01488","scoring_system":"epss","scoring_elements":"0.81399","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01488","scoring_system":"epss","scoring_elements":"0.81416","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-0308"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=909977","reference_id":"909977","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=909977"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0589","reference_id":"RHSA-2013:0589","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0589"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96435?format=json","purl":"pkg:deb/debian/git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96432?format=json","purl":"pkg:deb/debian/git@1:2.30.2-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-92ej-fqvf-zuf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96430?format=json","purl":"pkg:deb/debian/git@1:2.39.5-0%2Bdeb12u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.39.5-0%252Bdeb12u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96434?format=json","purl":"pkg:deb/debian/git@1:2.47.3-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.47.3-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96433?format=json","purl":"pkg:deb/debian/git@1:2.53.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.53.0-1%3Fdistro=trixie"}],"aliases":["CVE-2013-0308"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ydws-8azx-eqfw"}],"risk_score":"1.8","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/git@1:2.30.2-1%252Bdeb11u2%3Fdistro=trixie"}