CVE-2019-19604: Git submodule loading vulnerability
Pivotal Concourse, versions 5.2.x prior to 5.2.6 and versions 5.5.x prior to 5.5.7, contains vulnerable versions of git. Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
Severity is critical unless otherwise noted.
- 5.2 versions prior to 5.2.6
- 5.5 versions prior to 5.5.7
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
2020-02-11: Initial vulnerability report published.