CVE-2014-9390: Input Validation

Q: What is the severity of CVE-2014-9390?

The severity of CVE-2014-9390 is critical with a CVSS score of 9.8.

Q: Which software versions are affected by CVE-2014-9390?

Git versions before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial versions before 3.2.3 on Windows and OS X; Apple Xcode versions before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014.

Q: How can I fix CVE-2014-9390 on Windows and OS X?

To fix CVE-2014-9390 on Windows and OS X, you need to update Git to version 1.8.5.6 or later, Mercurial to version 3.2.3 or later, and Apple Xcode to version 6.2 beta 3 or later.

Q: Is Apple Mac OS X vulnerable to CVE-2014-9390?

No, Apple Mac OS X is not vulnerable to CVE-2014-9390.

Q: Where can I find more information about CVE-2014-9390?

You can find more information about CVE-2014-9390 at the following references: [link1](http://article.gmane.org/gmane.linux.kernel/1853266), [link2](http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html), [link3](http://mercurial.selenic.com/wiki/WhatsNew).

Published Feb 12, 2020

Updated

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Other sources

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

— GitHub

Git, when used as a client on a case-insensitive filesystem, could allow a remote attacker to execute arbitrary commands on the system. By overwriting a malicious .git/config file when cloning or checking out a repository, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the privileges of the user running the git client.

— IBM

Affected Software

27 affected componentsFixes available

pip/mercurial<3.2.3

3.2.3

maven/org.eclipse.jgit:org.eclipse.jgit<3.5.3

3.5.3

All of the following

Any of the following

Apple iOS and macOS

Microsoft Windows

Any of the following

git-scm Git<1.8.5.6

git-scm Git>=1.9.0<1.9.5

git-scm Git>=2.0.0<2.0.5

git-scm Git>=2.1.0<2.1.4

git-scm Git>=2.2.0<2.2.1

All of the following

Any of the following

Apple iOS and macOS

Microsoft Windows

Mercurial Mercurial<3.2.3

Apple Xcode<=6.1.1

Apple Xcode=6.2

Apple Xcode=6.2-beta_2

Eclipse Egit<08-12-2014

Eclipse JGit<3.4.2

Eclipse JGit>=3.5.0<3.5.3

libgit2 libgit2<0.21.3

git-scm Git<1.8.5.6

git-scm Git>=1.9.0<1.9.5

git-scm Git>=2.0.0<2.0.5

git-scm Git>=2.1.0<2.1.4

git-scm Git>=2.2.0<2.2.1

Apple iOS and macOS

Microsoft Windows

Mercurial Mercurial<3.2.3

Remediation

Patch Available

https://news.ycombinator.com/item?id=8769667

Event History

Feb 12, 2020

CVE Published

via MITRE·01:58 AM

Data Sourced

via MITRE·01:58 AM

Description

May 17, 2022

Advisory Published

via GitHub·07:57 PM

May 2, 2025

Data Sourced

via IBM·12:00 AM

DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7232197

Frequently Asked Questions

What is the severity of CVE-2014-9390?

The severity of CVE-2014-9390 is critical with a CVSS score of 9.8.

Which software versions are affected by CVE-2014-9390?

Git versions before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial versions before 3.2.3 on Windows and OS X; Apple Xcode versions before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014.

How can I fix CVE-2014-9390 on Windows and OS X?

To fix CVE-2014-9390 on Windows and OS X, you need to update Git to version 1.8.5.6 or later, Mercurial to version 3.2.3 or later, and Apple Xcode to version 6.2 beta 3 or later.

Is Apple Mac OS X vulnerable to CVE-2014-9390?

No, Apple Mac OS X is not vulnerable to CVE-2014-9390.

Where can I find more information about CVE-2014-9390?

You can find more information about CVE-2014-9390 at the following references: [link1](http://article.gmane.org/gmane.linux.kernel/1853266), [link2](http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html), [link3](http://mercurial.selenic.com/wiki/WhatsNew).

CVE-2014-9390: Input Validation

Other sources

Affected Software

Remediation

Patch Available

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2014-9390?

Which software versions are affected by CVE-2014-9390?

How can I fix CVE-2014-9390 on Windows and OS X?

Is Apple Mac OS X vulnerable to CVE-2014-9390?

Where can I find more information about CVE-2014-9390?

Company

Resources

Contact