All Vulnerability Reports

CVE-2019-19604: Git submodule loading vulnerability


Severity

Critical

Vendor

Pivotal

Description

Pivotal Concourse, versions 5.2.x prior to 5.2.6 and versions 5.5.x prior to 5.5.7, contains vulnerable versions of git. Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • Pivotal Concourse
    • 5.2 versions prior to 5.2.6
    • 5.5 versions prior to 5.5.7
Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Concourse
    • 5.2.6
    • 5.5.7
References
History

2020-02-11: Initial vulnerability report published.