{"id":"UBUNTU-CVE-2014-9390","details":"Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.","modified":"2026-04-22T09:55:07.441569Z","published":"2014-12-19T00:00:00Z","related":["USN-2470-1"],"upstream":["CVE-2014-9390"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-9390"},{"type":"REPORT","url":"http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html"},{"type":"REPORT","url":"http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29"},{"type":"REPORT","url":"http://article.gmane.org/gmane.linux.kernel/1853266"},{"type":"REPORT","url":"https://developer.atlassian.com/blog/2014/12/securing-your-git-server/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2470-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2014-9390"}],"affected":[{"package":{"name":"git","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/git@1:1.9.1-1ubuntu0.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:1.9.1-1ubuntu0.1"}]}],"versions":["1:1.8.3.2-1","1:1.8.4.2-1","1:1.8.4.3-1","1:1.8.4.4-1","1:1.8.5-1","1:1.8.5.1-1","1:1.8.5.2-1","1:1.8.5.2-2","1:1.8.5.3-1","1:1.9~rc1-1","1:1.9.0-1","1:1.9.1-1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-all"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-arch"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-bzr"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-core"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-cvs"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-daemon-run"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-daemon-sysvinit"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-el"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-email"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-gui"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-man"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-mediawiki"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"git-svn"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"gitk"},{"binary_version":"1:1.9.1-1ubuntu0.1","binary_name":"gitweb"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-9390.json"}},{"package":{"name":"mercurial","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/mercurial@2.8.2-1ubuntu1.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.2-1ubuntu1.3"}]}],"versions":["2.6.3-1","2.7.2-1","2.8.1-2","2.8.2-1ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.8.2-1ubuntu1.3","binary_name":"mercurial"},{"binary_version":"2.8.2-1ubuntu1.3","binary_name":"mercurial-common"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-9390.json"}},{"package":{"name":"libgit2","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/libgit2@0.19.0-2ubuntu0.4+esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.19.0-2","0.19.0-2ubuntu0.4","0.19.0-2ubuntu0.4+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.19.0-2ubuntu0.4+esm1","binary_name":"libgit2-0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-9390.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}