CVE-2014-9390: Arbitrary command execution

December 18, 2014

An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Fixed versions of the gem depend on fixed versions of libgit2.

References

article.gmane.org/gmane.linux.kernel/1853266
github.com/blog/1938-vulnerability-announced-update-your-git-clients
github.com/libgit2/libgit2/releases/tag/v0.21.3

Detect and mitigate CVE-2014-9390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →