VDB

CVE-2014-9390

CVE-2014-9390 PUBLISHED

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

EPSS 77.15% · 99.0th percentile

Risk Scores

EPSS Score
77.15%
99.0th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:14.04:LTSlibgit20, 0.19.0-2, 0.19.0-2ubuntu0.4
Ubuntu:14.04:LTSmercurial2.7.2-1, 2.6.3-1, 2.8.1-2
Ubuntu:14.04:LTSgit1:1.8.5-1, 1:1.8.5.1-1, 1:1.8.5.2-2

Exploit Intelligence

…and 17 more exploits

Timeline

  • Dec 18, 2014 CVE Published
  • Mar 23, 2017 PoC Published
  • May 29, 2018 PoC Published
  • Feb 4, 2022 EPSS Score
  • May 20, 2022 EPSS Score
  • Jul 12, 2022 EPSS Score
  • Oct 26, 2022 EPSS Score
  • Feb 8, 2023 EPSS Score
  • Apr 2, 2023 EPSS Score
  • May 25, 2023 EPSS Score
  • Sep 7, 2023 EPSS Score
  • Dec 21, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›