Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-48384 (GCVE-0-2025-48384)
Vulnerability from cvelistv5 – Published: 2025-07-08 18:23 – Updated: 2025-11-04 21:11
VLAI?
EPSS
Title
Git allows arbitrary code execution through broken config quoting
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48384",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T03:55:23.181071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-08-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:22.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-25T00:00:00+00:00",
"value": "CVE-2025-48384 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:00.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/60"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "git",
"vendor": "git",
"versions": [
{
"status": "affected",
"version": "\u003c 2.43.7"
},
{
"status": "affected",
"version": "\u003e= 2.44.0-rc0, \u003c 2.44.4"
},
{
"status": "affected",
"version": "\u003e= 2.45.0-rc0, \u003c 2.45.4"
},
{
"status": "affected",
"version": "\u003e= 2.46.0-rc0, \u003c 2.46.4"
},
{
"status": "affected",
"version": "\u003e= 2.47.0-rc0, \u003c 2.47.3"
},
{
"status": "affected",
"version": "\u003e= 2.48.0-rc0, \u003c 2.48.2"
},
{
"status": "affected",
"version": "\u003e= 2.49.0-rc0, \u003c 2.49.1"
},
{
"status": "affected",
"version": "\u003e= 2.50.0-rc0, \u003c 2.50.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T18:23:48.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"
}
],
"source": {
"advisory": "GHSA-vwqx-4fm8-6qc9",
"discovery": "UNKNOWN"
},
"title": "Git allows arbitrary code execution through broken config quoting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48384",
"datePublished": "2025-07-08T18:23:48.710Z",
"dateReserved": "2025-05-19T15:46:00.397Z",
"dateUpdated": "2025-11-04T21:11:00.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-48384",
"cwes": "[\"CWE-59\", \"CWE-436\"]",
"dateAdded": "2025-08-25",
"dueDate": "2025-09-15",
"knownRansomwareCampaignUse": "Unknown",
"notes": "This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 ; https://access.redhat.com/errata/RHSA-2025:13933 ; https://alas.aws.amazon.com/AL2/ALAS2-2025-2941.html ; https://linux.oracle.com/errata/ELSA-2025-11534.html ; https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48384 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48384",
"product": "Git",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Git contains a link following vulnerability that stems from Git\u2019s inconsistent handling of carriage return characters in configuration files.",
"vendorProject": "Git",
"vulnerabilityName": "Git Link Following Vulnerability"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html\"}, {\"url\": \"http://seclists.org/fulldisclosure/2025/Sep/60\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/08/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:11:00.255Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48384\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-26T03:55:23.181071Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-08-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-08-25T00:00:00+00:00\", \"value\": \"CVE-2025-48384 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-08T18:35:20.601Z\"}}], \"cna\": {\"title\": \"Git allows arbitrary code execution through broken config quoting\", \"source\": {\"advisory\": \"GHSA-vwqx-4fm8-6qc9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"git\", \"product\": \"git\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.43.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.44.0-rc0, \u003c 2.44.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.45.0-rc0, \u003c 2.45.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.46.0-rc0, \u003c 2.46.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.47.0-rc0, \u003c 2.47.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.48.0-rc0, \u003c 2.48.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.49.0-rc0, \u003c 2.49.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.50.0-rc0, \u003c 2.50.1\"}]}], \"references\": [{\"url\": \"https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9\", \"name\": \"https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-436\", \"description\": \"CWE-436: Interpretation Conflict\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-08T18:23:48.710Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48384\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:11:00.255Z\", \"dateReserved\": \"2025-05-19T15:46:00.397Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-08T18:23:48.710Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
cve-2025-48384
Vulnerability from osv_almalinux
Published
2025-07-22 00:00
Modified
2025-07-24 09:25
Summary
Important: git security update
Details
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)
- git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)
- git: Git arbitrary code execution (CVE-2025-48384)
- git: Git arbitrary file writes (CVE-2025-48385)
- gitk: Git file creation flaw (CVE-2025-27613)
- gitk: git script execution flaw (CVE-2025-27614)
- git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-all"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-core-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-email"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-gui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-instaweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-subtree"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "git-svn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "gitk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "gitweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "perl-Git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "perl-Git-SVN"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el10_0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. \n\nSecurity Fix(es): \n\n * git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)\n * git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)\n * git: Git arbitrary code execution (CVE-2025-48384)\n * git: Git arbitrary file writes (CVE-2025-48385)\n * gitk: Git file creation flaw (CVE-2025-27613)\n * gitk: git script execution flaw (CVE-2025-27614)\n * git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:11533",
"modified": "2025-07-24T09:25:29Z",
"published": "2025-07-22T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:11533"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-50349"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-52006"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27613"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27614"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-46835"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48384"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48385"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337824"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337956"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378806"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378808"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379124"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379125"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379326"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2025-11533.html"
}
],
"related": [
"CVE-2024-50349",
"CVE-2024-52006",
"CVE-2025-48384",
"CVE-2025-48385",
"CVE-2025-27613",
"CVE-2025-27614",
"CVE-2025-46835"
],
"summary": "Important: git security update"
}
cve-2025-48384
Vulnerability from osv_almalinux
Published
2025-07-22 00:00
Modified
2025-07-23 08:07
Summary
Important: git security update
Details
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)
- git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)
- git: Git arbitrary code execution (CVE-2025-48384)
- git: Git arbitrary file writes (CVE-2025-48385)
- gitk: Git file creation flaw (CVE-2025-27613)
- gitk: git script execution flaw (CVE-2025-27614)
- git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-all"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-core-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-credential-libsecret"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-daemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-email"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-gui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-instaweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-subtree"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "git-svn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "gitk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "gitweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "perl-Git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "perl-Git-SVN"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.43.7-1.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. \n\nSecurity Fix(es): \n\n * git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)\n * git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)\n * git: Git arbitrary code execution (CVE-2025-48384)\n * git: Git arbitrary file writes (CVE-2025-48385)\n * gitk: Git file creation flaw (CVE-2025-27613)\n * gitk: git script execution flaw (CVE-2025-27614)\n * git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:11534",
"modified": "2025-07-23T08:07:31Z",
"published": "2025-07-22T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:11534"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-50349"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-52006"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27613"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27614"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-46835"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48384"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48385"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337824"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337956"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378806"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378808"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379124"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379125"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379326"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2025-11534.html"
}
],
"related": [
"CVE-2024-50349",
"CVE-2024-52006",
"CVE-2025-48384",
"CVE-2025-48385",
"CVE-2025-27613",
"CVE-2025-27614",
"CVE-2025-46835"
],
"summary": "Important: git security update"
}
cve-2025-48384
Vulnerability from osv_almalinux
Published
2025-07-21 00:00
Modified
2025-07-22 10:34
Summary
Important: git security update
Details
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)
- git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)
- git: Git arbitrary code execution (CVE-2025-48384)
- git: Git arbitrary file writes (CVE-2025-48385)
- gitk: Git file creation flaw (CVE-2025-27613)
- gitk: git script execution flaw (CVE-2025-27614)
- git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-all"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-core-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-credential-libsecret"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-daemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-email"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-gui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-instaweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-subtree"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "git-svn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "gitk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "gitweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "perl-Git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "perl-Git-SVN"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.47.3-1.el9_6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. \n\nSecurity Fix(es): \n\n * git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)\n * git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)\n * git: Git arbitrary code execution (CVE-2025-48384)\n * git: Git arbitrary file writes (CVE-2025-48385)\n * gitk: Git file creation flaw (CVE-2025-27613)\n * gitk: git script execution flaw (CVE-2025-27614)\n * git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2025:11462",
"modified": "2025-07-22T10:34:40Z",
"published": "2025-07-21T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2025:11462"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-50349"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-52006"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27613"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-27614"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-46835"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48384"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-48385"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337824"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2337956"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378806"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2378808"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379124"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379125"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2379326"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2025-11462.html"
}
],
"related": [
"CVE-2024-50349",
"CVE-2024-52006",
"CVE-2025-48384",
"CVE-2025-48385",
"CVE-2025-27613",
"CVE-2025-27614",
"CVE-2025-46835"
],
"summary": "Important: git security update"
}
CERTFR-2025-AVI-0579
Vulnerability from certfr_avis - Published: 2025-07-09 - Updated: 2025-07-09
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | Python extension pour Visual Studio Code versions antérieures à 2025.8.1 | ||
| Microsoft | N/A | Microsoft SharePoint Enterprise Server 2016 versions antérieures à 16.0.5508.1000 | ||
| Microsoft | N/A | Microsoft SharePoint Server 2019 versions antérieures à 16.0.10417.20027 | ||
| Microsoft | N/A | Microsoft SQL Server 2017 pour systèmes x64 (CU 31) versions antérieures à 14.0.3495.9 | ||
| Microsoft | N/A | Microsoft SharePoint Server Subscription Edition versions antérieures à 16.0.18526.20424 | ||
| Microsoft | N/A | Microsoft Teams pour iOS versions antérieures à 7.10.1 (100772025102901) | ||
| Microsoft | N/A | Microsoft Configuration Manager 2503 versions antérieures à 5.00.9135.1003 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.12 antérieures à 17.12.10 | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.11 (inclus 16.0 - 16.10) antérieures à 16.11.49 | ||
| Microsoft | N/A | Microsoft Teams pour Desktop versions antérieures à 25060212643 | ||
| Microsoft | N/A | Microsoft SQL Server 2022 pour systèmes x64 (CU 19) versions antérieures à 16.0.1140.6 | ||
| Microsoft | N/A | Microsoft Teams pour Android versions antérieures à 1.0.0.2025112902 | ||
| Microsoft | N/A | Microsoft Visual Studio 2015 Update 3 versions antérieures à 14.0.27564.0 | ||
| Microsoft | N/A | Microsoft SQL Server 2017 pour systèmes x64 (GDR) versions antérieures à 14.0.2075.8 | ||
| Microsoft | N/A | Microsoft SQL Server 2016 pour systèmes x64 Service Pack 2 (GDR) versions antérieures à 13.0.6460.7 | ||
| Microsoft | N/A | Microsoft SQL Server 2019 pour systèmes x64 (CU 32) versions antérieures à 15.0.4435.7 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.14 antérieures à 17.14.8 | ||
| Microsoft | N/A | Microsoft Visual Studio 2017 version 15.9 (inclus 15.0 - 15.8) antérieures à 15.9.75 | ||
| Microsoft | N/A | Microsoft Teams pour Mac versions antérieures à 25163.3001.3726.6503 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.10 antérieures à 17.10.17 | ||
| Microsoft | N/A | Microsoft PC Manager versions antérieures à 3.17.4 | ||
| Microsoft | N/A | Microsoft SQL Server 2022 pour systèmes x64 (GDR) versions antérieures à 16.0.4200.1 | ||
| Microsoft | N/A | Microsoft Visual Studio 2022 version 17.8 antérieures à 17.8.23 | ||
| Microsoft | N/A | Microsoft SQL Server 2019 pour systèmes x64 (GDR) versions antérieures à 15.0.2135.5 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Python extension pour Visual Studio Code versions ant\u00e9rieures \u00e0 2025.8.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SharePoint Enterprise Server 2016 versions ant\u00e9rieures \u00e0 16.0.5508.1000",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SharePoint Server 2019 versions ant\u00e9rieures \u00e0 16.0.10417.20027",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (CU 31) versions ant\u00e9rieures \u00e0 14.0.3495.9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SharePoint Server Subscription Edition versions ant\u00e9rieures \u00e0 16.0.18526.20424",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Teams pour iOS versions ant\u00e9rieures \u00e0 7.10.1 (100772025102901)",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Configuration Manager 2503 versions ant\u00e9rieures \u00e0 5.00.9135.1003",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.12 ant\u00e9rieures \u00e0 17.12.10",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.11 (inclus 16.0 - 16.10) ant\u00e9rieures \u00e0 16.11.49",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Teams pour Desktop versions ant\u00e9rieures \u00e0 25060212643",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2022 pour syst\u00e8mes x64 (CU 19) versions ant\u00e9rieures \u00e0 16.0.1140.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Teams pour Android versions ant\u00e9rieures \u00e0 1.0.0.2025112902",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2015 Update 3 versions ant\u00e9rieures \u00e0 14.0.27564.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2017 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 14.0.2075.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2016 pour syst\u00e8mes x64 Service Pack 2 (GDR) versions ant\u00e9rieures \u00e0 13.0.6460.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2019 pour syst\u00e8mes x64 (CU 32) versions ant\u00e9rieures \u00e0 15.0.4435.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.14 ant\u00e9rieures \u00e0 17.14.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2017 version 15.9 (inclus 15.0 - 15.8) ant\u00e9rieures \u00e0 15.9.75",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Teams pour Mac versions ant\u00e9rieures \u00e0 25163.3001.3726.6503",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.10 ant\u00e9rieures \u00e0 17.10.17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft PC Manager versions ant\u00e9rieures \u00e0 3.17.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2022 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 \t\n16.0.4200.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2022 version 17.8 ant\u00e9rieures \u00e0 17.8.23",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft SQL Server 2019 pour syst\u00e8mes x64 (GDR) versions ant\u00e9rieures \u00e0 15.0.2135.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-46835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46835"
},
{
"name": "CVE-2025-49714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49714"
},
{
"name": "CVE-2025-47178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47178"
},
{
"name": "CVE-2025-27614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27614"
},
{
"name": "CVE-2025-49701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49701"
},
{
"name": "CVE-2025-48385",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48385"
},
{
"name": "CVE-2025-27613",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27613"
},
{
"name": "CVE-2025-49737",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49737"
},
{
"name": "CVE-2025-49706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49706"
},
{
"name": "CVE-2025-49738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49738"
},
{
"name": "CVE-2025-48384",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48384"
},
{
"name": "CVE-2025-49704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49704"
},
{
"name": "CVE-2025-48386",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48386"
},
{
"name": "CVE-2025-49739",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49739"
},
{
"name": "CVE-2025-49719",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49719"
},
{
"name": "CVE-2025-49717",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49717"
},
{
"name": "CVE-2025-46334",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46334"
},
{
"name": "CVE-2025-49718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49718"
},
{
"name": "CVE-2025-49731",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49731"
},
{
"name": "CVE-2025-49703",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49703"
}
],
"initial_release_date": "2025-07-09T00:00:00",
"last_revision_date": "2025-07-09T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0579",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49718",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49718"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-27614",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27614"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49739",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49739"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-46835",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-46835"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49714",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49714"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49731",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49731"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49717",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49717"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-27613",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27613"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49719",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49719"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49703",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49703"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-48386",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48386"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-48385",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48385"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49706",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49738",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49738"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49737",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49737"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49704",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-48384",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48384"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-46334",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-46334"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-49701",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49701"
},
{
"published_at": "2025-07-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-47178",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47178"
}
]
}
CERTFR-2025-AVI-0791
Vulnerability from certfr_avis - Published: 2025-09-16 - Updated: 2025-09-16
De multiples vulnérabilités ont été découvertes dans les produits Apple. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.
Apple indique que la vulnérabilité CVE-2025-43300 est activement exploitée.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Apple | iPadOS | iPadOS versions antérieures à 26 | ||
| Apple | watchOS | watchOS versions antérieures à 26 | ||
| Apple | iOS | iOS versions 16.x antérieures à 16.7.12 | ||
| Apple | macOS | macOS Sonoma versions antérieures à 14.8 | ||
| Apple | tvOS | tvOS versions antérieures à 26 | ||
| Apple | macOS | macOS Sequoia versions antérieures à 15.7 | ||
| Apple | iOS | iOS versions antérieures à 26 | ||
| Apple | iOS | iOS versions 15.x antérieures à 15.8.5 | ||
| Apple | iOS | iOS versions 18.x antérieures à 18.7 | ||
| Apple | visionOS | visionOS versions antérieures à 26 | ||
| Apple | Xcode | Xcode versions antérieures à 26 | ||
| Apple | Safari | Safari versions antérieures à 26 | ||
| Apple | iPadOS | iPadOS versions 15.x antérieures à 15.8.5 | ||
| Apple | iPadOS | iPadOS versions 16.x antérieures à 16.7.12 | ||
| Apple | macOS | macOS Tahoe versions antérieures à 26 | ||
| Apple | iPadOS | iPadOS versions 18.x antérieures à 18.7 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "iPadOS versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "iPadOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "watchOS versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "watchOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iOS versions 16.x ant\u00e9rieures \u00e0 16.7.12",
"product": {
"name": "iOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS Sonoma versions ant\u00e9rieures \u00e0 14.8",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "tvOS versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "tvOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS Sequoia versions ant\u00e9rieures \u00e0 15.7",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iOS versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "iOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iOS versions 15.x ant\u00e9rieures \u00e0 15.8.5",
"product": {
"name": "iOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iOS versions 18.x ant\u00e9rieures \u00e0 18.7",
"product": {
"name": "iOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "visionOS versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "visionOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Xcode versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "Xcode",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Safari versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "Safari",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iPadOS versions 15.x ant\u00e9rieures \u00e0 15.8.5",
"product": {
"name": "iPadOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iPadOS versions 16.x ant\u00e9rieures \u00e0 16.7.12",
"product": {
"name": "iPadOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "macOS Tahoe versions ant\u00e9rieures \u00e0 26",
"product": {
"name": "macOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "iPadOS versions 18.x ant\u00e9rieures \u00e0 18.7",
"product": {
"name": "iPadOS",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43292"
},
{
"name": "CVE-2025-43372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43372"
},
{
"name": "CVE-2025-43332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43332"
},
{
"name": "CVE-2025-31270",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31270"
},
{
"name": "CVE-2025-43362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43362"
},
{
"name": "CVE-2025-43319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43319"
},
{
"name": "CVE-2025-43340",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43340"
},
{
"name": "CVE-2025-43327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43327"
},
{
"name": "CVE-2025-30468",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30468"
},
{
"name": "CVE-2025-43359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43359"
},
{
"name": "CVE-2025-43262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43262"
},
{
"name": "CVE-2024-27280",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27280"
},
{
"name": "CVE-2025-31269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31269"
},
{
"name": "CVE-2025-43354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43354"
},
{
"name": "CVE-2025-43326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43326"
},
{
"name": "CVE-2025-43204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43204"
},
{
"name": "CVE-2025-43273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43273"
},
{
"name": "CVE-2025-43347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43347"
},
{
"name": "CVE-2025-43302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43302"
},
{
"name": "CVE-2025-43321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43321"
},
{
"name": "CVE-2025-31254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31254"
},
{
"name": "CVE-2025-43299",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43299"
},
{
"name": "CVE-2025-43316",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43316"
},
{
"name": "CVE-2025-43263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43263"
},
{
"name": "CVE-2025-31255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31255"
},
{
"name": "CVE-2025-43375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43375"
},
{
"name": "CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"name": "CVE-2025-43355",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43355"
},
{
"name": "CVE-2025-43207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43207"
},
{
"name": "CVE-2025-43285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43285"
},
{
"name": "CVE-2025-43370",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43370"
},
{
"name": "CVE-2025-43312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43312"
},
{
"name": "CVE-2025-43317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43317"
},
{
"name": "CVE-2025-31271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31271"
},
{
"name": "CVE-2025-43208",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43208"
},
{
"name": "CVE-2025-43283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43283"
},
{
"name": "CVE-2025-48384",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48384"
},
{
"name": "CVE-2025-43277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43277"
},
{
"name": "CVE-2025-43325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43325"
},
{
"name": "CVE-2025-43231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43231"
},
{
"name": "CVE-2025-24197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24197"
},
{
"name": "CVE-2025-43358",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43358"
},
{
"name": "CVE-2025-43328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43328"
},
{
"name": "CVE-2025-43368",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43368"
},
{
"name": "CVE-2025-43315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43315"
},
{
"name": "CVE-2025-43331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43331"
},
{
"name": "CVE-2025-43310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43310"
},
{
"name": "CVE-2025-43333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43333"
},
{
"name": "CVE-2025-43203",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43203"
},
{
"name": "CVE-2025-43307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43307"
},
{
"name": "CVE-2025-43297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43297"
},
{
"name": "CVE-2025-43190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43190"
},
{
"name": "CVE-2025-24088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24088"
},
{
"name": "CVE-2025-43293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43293"
},
{
"name": "CVE-2025-43343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43343"
},
{
"name": "CVE-2025-43294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43294"
},
{
"name": "CVE-2025-43286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43286"
},
{
"name": "CVE-2025-43353",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43353"
},
{
"name": "CVE-2025-43356",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43356"
},
{
"name": "CVE-2025-43330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43330"
},
{
"name": "CVE-2025-43272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43272"
},
{
"name": "CVE-2025-31259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31259"
},
{
"name": "CVE-2025-31268",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31268"
},
{
"name": "CVE-2025-43366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43366"
},
{
"name": "CVE-2025-43298",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43298"
},
{
"name": "CVE-2025-43369",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43369"
},
{
"name": "CVE-2025-43308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43308"
},
{
"name": "CVE-2025-43346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43346"
},
{
"name": "CVE-2025-40909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40909"
},
{
"name": "CVE-2025-43337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43337"
},
{
"name": "CVE-2025-24133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24133"
},
{
"name": "CVE-2025-43279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43279"
},
{
"name": "CVE-2025-43314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43314"
},
{
"name": "CVE-2025-43300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43300"
},
{
"name": "CVE-2025-43342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43342"
},
{
"name": "CVE-2025-43349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43349"
},
{
"name": "CVE-2025-43341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43341"
},
{
"name": "CVE-2025-43301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43301"
},
{
"name": "CVE-2025-43318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43318"
},
{
"name": "CVE-2025-43344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43344"
},
{
"name": "CVE-2025-43311",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43311"
},
{
"name": "CVE-2025-43287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43287"
},
{
"name": "CVE-2025-43303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43303"
},
{
"name": "CVE-2025-43304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43304"
},
{
"name": "CVE-2025-43291",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43291"
},
{
"name": "CVE-2025-43329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43329"
},
{
"name": "CVE-2025-43357",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43357"
},
{
"name": "CVE-2025-43367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43367"
},
{
"name": "CVE-2025-43371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43371"
},
{
"name": "CVE-2025-43295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43295"
},
{
"name": "CVE-2025-43305",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43305"
}
],
"initial_release_date": "2025-09-16T00:00:00",
"last_revision_date": "2025-09-16T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0791",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-09-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Apple. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\nApple indique que la vuln\u00e9rabilit\u00e9 CVE-2025-43300 est activement exploit\u00e9e.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Apple",
"vendor_advisories": [
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125112",
"url": "https://support.apple.com/en-us/125112"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125116",
"url": "https://support.apple.com/en-us/125116"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125110",
"url": "https://support.apple.com/en-us/125110"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125115",
"url": "https://support.apple.com/en-us/125115"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125141",
"url": "https://support.apple.com/en-us/125141"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125117",
"url": "https://support.apple.com/en-us/125117"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125114",
"url": "https://support.apple.com/en-us/125114"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125108",
"url": "https://support.apple.com/en-us/125108"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125111",
"url": "https://support.apple.com/en-us/125111"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125109",
"url": "https://support.apple.com/en-us/125109"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125142",
"url": "https://support.apple.com/en-us/125142"
},
{
"published_at": "2025-09-15",
"title": "Bulletin de s\u00e9curit\u00e9 Apple 125113",
"url": "https://support.apple.com/en-us/125113"
}
]
}
CERTFR-2025-AVI-0746
Vulnerability from certfr_avis - Published: 2025-08-29 - Updated: 2025-08-29
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Cognos Dashboards | Cognos Command Center versions 10.2.4.1 et 10.2.5 antérieures à 10.2.5 FP1 IF1 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.1.0.x antérieures à 6.1.0.2 GA | ||
| IBM | QRadar | QRadar SIEM versions 7.5.0 antérieures à QRadar 7.5.0 UP13 IF01 | ||
| IBM | Sterling | Sterling Connect:Direct pour Microsoft Windows versions 6.4.x antérieures à 6.4.0.3 | ||
| IBM | WebSphere | WebSphere Remote Server versions 9.1, 8.0 et 8.5 sans le dernier correctif de sécurité | ||
| IBM | Cognos Dashboards | Cognos Dashboards on Cloud Pak for Data versions 5.x antérieures à 5.2.1 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.2.0.x antérieures à 6.2.0.2 GA | ||
| IBM | QRadar | QRadar Incident Forensics versions 7.5.0 antérieures à QIF 7.5.0 UP13 IF01 | ||
| IBM | Sterling | Sterling External Authentication Server versions 6.1.0.x antérieures à 6.1.0.3 GA | ||
| IBM | Sterling | Sterling Connect:Direct pour Microsoft Windows versions 6.3.x antérieures à 6.3.0.6 | ||
| IBM | Db2 | Db2 Bridge versions antérieures à 1.1.1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Cognos Command Center versions 10.2.4.1 et 10.2.5 ant\u00e9rieures \u00e0 10.2.5 FP1 IF1",
"product": {
"name": "Cognos Dashboards",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.2 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 QRadar 7.5.0 UP13 IF01",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.4.x ant\u00e9rieures \u00e0 6.4.0.3",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Remote Server versions 9.1, 8.0 et 8.5 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Dashboards on Cloud Pak for Data versions 5.x ant\u00e9rieures \u00e0 5.2.1",
"product": {
"name": "Cognos Dashboards",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.2.0.x ant\u00e9rieures \u00e0 6.2.0.2 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Incident Forensics versions 7.5.0 ant\u00e9rieures \u00e0 QIF 7.5.0 UP13 IF01",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling External Authentication Server versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.3 GA",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.6",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Bridge versions ant\u00e9rieures \u00e0 1.1.1",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-6531",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6531"
},
{
"name": "CVE-2025-4447",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
},
{
"name": "CVE-2024-21144",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21144"
},
{
"name": "CVE-2025-24789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24789"
},
{
"name": "CVE-2022-50020",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50020"
},
{
"name": "CVE-2025-47944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47944"
},
{
"name": "CVE-2024-50349",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50349"
},
{
"name": "CVE-2025-46835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46835"
},
{
"name": "CVE-2024-57980",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57980"
},
{
"name": "CVE-2024-43420",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43420"
},
{
"name": "CVE-2025-49794",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49794"
},
{
"name": "CVE-2025-22004",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22004"
},
{
"name": "CVE-2025-27614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27614"
},
{
"name": "CVE-2022-49111",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49111"
},
{
"name": "CVE-2025-1470",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1470"
},
{
"name": "CVE-2022-49058",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49058"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2024-52006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52006"
},
{
"name": "CVE-2025-4373",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4373"
},
{
"name": "CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"name": "CVE-2025-50106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50106"
},
{
"name": "CVE-2025-48385",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48385"
},
{
"name": "CVE-2025-48060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48060"
},
{
"name": "CVE-2024-50154",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50154"
},
{
"name": "CVE-2025-27613",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27613"
},
{
"name": "CVE-2025-30754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
},
{
"name": "CVE-2024-10917",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-10917"
},
{
"name": "CVE-2022-49136",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49136"
},
{
"name": "CVE-2025-6965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6965"
},
{
"name": "CVE-2022-49846",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49846"
},
{
"name": "CVE-2019-17543",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17543"
},
{
"name": "CVE-2025-38086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38086"
},
{
"name": "CVE-2025-48384",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48384"
},
{
"name": "CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"name": "CVE-2025-27152",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
},
{
"name": "CVE-2025-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1471"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2025-20012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20012"
},
{
"name": "CVE-2025-7425",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7425"
},
{
"name": "CVE-2025-37738",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37738"
},
{
"name": "CVE-2024-53920",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53920"
},
{
"name": "CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"name": "CVE-2025-21587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
},
{
"name": "CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"name": "CVE-2024-52533",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52533"
},
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
},
{
"name": "CVE-2025-2697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-2697"
},
{
"name": "CVE-2025-47935",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47935"
},
{
"name": "CVE-2025-50059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
},
{
"name": "CVE-2025-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21928"
},
{
"name": "CVE-2025-30761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30761"
},
{
"name": "CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"name": "CVE-2025-1494",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1494"
},
{
"name": "CVE-2025-1994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1994"
},
{
"name": "CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"name": "CVE-2025-24495",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24495"
},
{
"name": "CVE-2025-30698",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
},
{
"name": "CVE-2022-49977",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49977"
},
{
"name": "CVE-2024-54661",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54661"
},
{
"name": "CVE-2025-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37890"
},
{
"name": "CVE-2025-22020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22020"
},
{
"name": "CVE-2025-27533",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27533"
},
{
"name": "CVE-2025-6021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6021"
},
{
"name": "CVE-2025-55668",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55668"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2024-58002",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58002"
},
{
"name": "CVE-2025-32415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32415"
},
{
"name": "CVE-2025-21905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21905"
},
{
"name": "CVE-2024-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23337"
},
{
"name": "CVE-2025-30749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30749"
},
{
"name": "CVE-2025-38052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38052"
},
{
"name": "CVE-2025-2900",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-2900"
},
{
"name": "CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"name": "CVE-2019-5427",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5427"
},
{
"name": "CVE-2022-49788",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49788"
},
{
"name": "CVE-2025-20623",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-20623"
},
{
"name": "CVE-2025-48997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48997"
},
{
"name": "CVE-2020-5260",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-5260"
},
{
"name": "CVE-2025-49796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49796"
},
{
"name": "CVE-2025-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21919"
},
{
"name": "CVE-2024-21131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21131"
},
{
"name": "CVE-2024-34397",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34397"
},
{
"name": "CVE-2025-21991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21991"
},
{
"name": "CVE-2025-7338",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7338"
},
{
"name": "CVE-2025-24790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24790"
},
{
"name": "CVE-2024-45332",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45332"
},
{
"name": "CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"name": "CVE-2025-23150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23150"
}
],
"initial_release_date": "2025-08-29T00:00:00",
"last_revision_date": "2025-08-29T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0746",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-08-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243411",
"url": "https://www.ibm.com/support/pages/node/7243411"
},
{
"published_at": "2025-08-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7242915",
"url": "https://www.ibm.com/support/pages/node/7242915"
},
{
"published_at": "2025-08-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243372",
"url": "https://www.ibm.com/support/pages/node/7243372"
},
{
"published_at": "2025-08-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7242159",
"url": "https://www.ibm.com/support/pages/node/7242159"
},
{
"published_at": "2025-08-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243146",
"url": "https://www.ibm.com/support/pages/node/7243146"
},
{
"published_at": "2025-08-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7242161",
"url": "https://www.ibm.com/support/pages/node/7242161"
},
{
"published_at": "2025-08-26",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243144",
"url": "https://www.ibm.com/support/pages/node/7243144"
},
{
"published_at": "2025-08-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243011",
"url": "https://www.ibm.com/support/pages/node/7243011"
},
{
"published_at": "2025-08-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7243373",
"url": "https://www.ibm.com/support/pages/node/7243373"
}
]
}
FKIE_CVE-2025-48384
Vulnerability from fkie_nvd - Published: 2025-07-08 19:15 - Updated: 2025-11-06 14:52
Severity ?
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/Sep/60 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/07/08/4 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html | Mailing List, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384 | US Government Resource |
{
"cisaActionDue": "2025-09-15",
"cisaExploitAdd": "2025-08-25",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Git Link Following Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB276680-D286-4DF6-BCB7-CAC1D9D77E08",
"versionEndExcluding": "2.43.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "856A8970-74E2-4F8F-A1A6-2AB1C0C87E45",
"versionEndExcluding": "2.44.4",
"versionStartIncluding": "2.44.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1DB9BA-3D91-4F7D-931E-A664737129F0",
"versionEndExcluding": "2.45.4",
"versionStartIncluding": "2.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01BDA55C-F398-4286-ABC6-979A783BDC65",
"versionEndExcluding": "2.46.4",
"versionStartIncluding": "2.46.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF4A2ACC-0996-4869-884D-734D6006C032",
"versionEndExcluding": "2.47.3",
"versionStartIncluding": "2.47.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DD21A83-8D62-4EE4-914B-B5ACA19A84A2",
"versionEndExcluding": "2.48.2",
"versionStartIncluding": "2.48.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95C1825C-B7A2-46E9-93D7-2D196DB2515E",
"versionEndExcluding": "2.49.1",
"versionStartIncluding": "2.49.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18F948AD-22C0-4B2E-B497-899F3A94B70A",
"versionEndExcluding": "2.50.1",
"versionStartIncluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37CC7F40-CC3A-4AEB-9260-B621FE64735A",
"versionEndExcluding": "26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1."
},
{
"lang": "es",
"value": "Git es un sistema de control de versiones distribuido, r\u00e1pido y escalable, con un conjunto de comandos excepcionalmente completo que proporciona operaciones de alto nivel y acceso completo a su funcionamiento interno. Al leer un valor de configuraci\u00f3n, Git elimina cualquier retorno de carro y avance de l\u00ednea (CRLF) final. Al escribir una entrada de configuraci\u00f3n, los valores con un CR final no se entrecomillan, lo que provoca que el CR se pierda al leer la configuraci\u00f3n posteriormente. Al inicializar un subm\u00f3dulo, si la ruta del subm\u00f3dulo contiene un CR final, se lee la ruta modificada, lo que provoca que el subm\u00f3dulo se extraiga a una ubicaci\u00f3n incorrecta. Si existe un enlace simb\u00f3lico que apunta la ruta modificada al directorio de ganchos del subm\u00f3dulo, y este contiene un gancho ejecutable posterior a la extracci\u00f3n, el script podr\u00eda ejecutarse accidentalmente despu\u00e9s de la extracci\u00f3n. Esta vulnerabilidad se ha corregido en v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 y v2.50.1."
}
],
"id": "CVE-2025-48384",
"lastModified": "2025-11-06T14:52:47.590",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-08T19:15:42.800",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2025/Sep/60"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
},
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-48384
Vulnerability from fstec - Published: 08.07.2025
VLAI Severity ?
Title
Уязвимость распределенной системы контроля версий Git средства разработки программного обеспечения Microsoft Visual Studio, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость распределенной системы контроля версий Git средства разработки программного обеспечения Microsoft Visual Studio связана с возникновением конфликта интерпретаций. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
Severity ?
Vendor
ООО «Ред Софт», ООО «РусБИТех-Астра», АО «НТЦ ИТ РОСА», АО «ИВК», Microsoft Corp, Linus Torvalds, Junio Hamano, АО «СберТех», АО "НППКТ", ООО «НЦПР»
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Common Edition (запись в едином реестре российских программ №4433), РОСА ХРОМ (запись в едином реестре российских программ №1607), АЛЬТ СП 10, Microsoft Visual Studio 2017, Microsoft Visual Studio 2019, Microsoft Visual Studio 2022, Git, Platform V SberLinux OS Server (запись в едином реестре российских программ №18785), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), МСВСфера
Software Version
7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 1.6 «Смоленск» (Astra Linux Common Edition), 12.4 (РОСА ХРОМ), - (АЛЬТ СП 10), от 15.0 до 15.8 включительно (Microsoft Visual Studio 2017), от 16.0 до 16.10 включительно (Microsoft Visual Studio 2019), 1.8 (Astra Linux Special Edition), 17.12 (Microsoft Visual Studio 2022), 17.10 (Microsoft Visual Studio 2022), 17.8 (Microsoft Visual Studio 2022), 17.14 (Microsoft Visual Studio 2022), 2.50.0 (Git), 2.49.0 (Git), от 2.48.0 до 2.48.1 включительно (Git), от 2.47.0 до 2.47.2 включительно (Git), от 2.46.0 до 2.46.3 включительно (Git), от 2.45.0 до 2.45.3 включительно (Git), от 2.44.0 до 2.44.3 включительно (Git), 2.43.6 (Git), 9.1 (Platform V SberLinux OS Server), до 2.14 (ОСОН ОСнова Оnyx), 9.5 (МСВСфера)
Possible Mitigations
Использование рекомендаций:
Для Git GUI:
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
Для продуктов Microsoft:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48384
Для ОС АЛЬТ СП 10: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/
Компенсирующие меры:
- избегать рекурсивного клонирования подмодулей в ненадёжных репозиториях.
Для ОС Astra Linux:
обновить пакет git до 1:2.43.0-1ubuntu7.3 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se18-bulletin-2025-0811SE18
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОС Astra Linux:
обновить пакет git до 1:2.30.2-1+deb11u4.astra6 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-0923SE17
Обновление программного обеспечения git до версии 1:2.50.1-0.1
Для ОС Astra Linux:
обновить пакет git до 1:2.30.2-1+deb11u4.astra6 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1020SE47
Для операционной системы РОСА ХРОМ:
https://abf.rosa.ru/advisories/ROSA-SA-2025-3019
Для МСВСфера: https://errata.msvsphere-os.ru/definition/9/INFCSA-2025:11462?lang=ru
Для ОС Astra Linux:
обновить пакет git до 1:2.11.0-3+deb9u13+ci1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16
Reference
https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48385
https://altsp.su/obnovleniya-bezopasnosti/
https://wiki.astralinux.ru/astra-linux-se18-bulletin-2025-0811SE18
https://t.me/c/1627154862/199213
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-0923SE17
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.14/
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1020SE47
https://abf.rosa.ru/advisories/ROSA-SA-2025-3019
https://errata.msvsphere-os.ru/definition/9/INFCSA-2025:11462?lang=ru
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16
CWE
CWE-59, CWE-436
{
"CVSS 2.0": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "TO2275",
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": "TO2275 \u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 Xcode",
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, Microsoft Corp, Linus Torvalds, Junio Hamano, \u0410\u041e \u00ab\u0421\u0431\u0435\u0440\u0422\u0435\u0445\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u041e\u041e\u041e \u00ab\u041d\u0426\u041f\u0420\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Common Edition), 12.4 (\u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), \u043e\u0442 15.0 \u0434\u043e 15.8 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Microsoft Visual Studio 2017), \u043e\u0442 16.0 \u0434\u043e 16.10 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Microsoft Visual Studio 2019), 1.8 (Astra Linux Special Edition), 17.12 (Microsoft Visual Studio 2022), 17.10 (Microsoft Visual Studio 2022), 17.8 (Microsoft Visual Studio 2022), 17.14 (Microsoft Visual Studio 2022), 2.50.0 (Git), 2.49.0 (Git), \u043e\u0442 2.48.0 \u0434\u043e 2.48.1 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Git), \u043e\u0442 2.47.0 \u0434\u043e 2.47.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Git), \u043e\u0442 2.46.0 \u0434\u043e 2.46.3 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Git), \u043e\u0442 2.45.0 \u0434\u043e 2.45.3 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Git), \u043e\u0442 2.44.0 \u0434\u043e 2.44.3 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Git), 2.43.6 (Git), 9.1 (Platform V SberLinux OS Server), \u0434\u043e 2.14 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), 9.5 (\u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Git GUI:\nhttps://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Microsoft:\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48384\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u041b\u042c\u0422 \u0421\u041f 10: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0437\u0431\u0435\u0433\u0430\u0442\u044c \u0440\u0435\u043a\u0443\u0440\u0441\u0438\u0432\u043d\u043e\u0433\u043e \u043a\u043b\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u043e\u0434\u043c\u043e\u0434\u0443\u043b\u0435\u0439 \u0432 \u043d\u0435\u043d\u0430\u0434\u0451\u0436\u043d\u044b\u0445 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f\u0445.\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 git \u0434\u043e 1:2.43.0-1ubuntu7.3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se18-bulletin-2025-0811SE18\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 git \u0434\u043e 1:2.30.2-1+deb11u4.astra6 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-0923SE17\n\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f git \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:2.50.1-0.1\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 git \u0434\u043e 1:2.30.2-1+deb11u4.astra6 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1020SE47\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c:\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-3019\n\n\u0414\u043b\u044f \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430: https://errata.msvsphere-os.ru/definition/9/INFCSA-2025:11462?lang=ru\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 git \u0434\u043e 1:2.11.0-3+deb9u13+ci1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.07.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2026",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "21.07.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-08691",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-48384",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041b\u042c\u0422 \u0421\u041f 10, Microsoft Visual Studio 2017, Microsoft Visual Studio 2019, Microsoft Visual Studio 2022, Git, Platform V SberLinux OS Server (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211618785), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c 12.4 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.8 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u0421\u0431\u0435\u0440\u0422\u0435\u0445\u00bb Platform V SberLinux OS Server 9.1 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211618785), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.14 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u041e\u041e \u00ab\u041d\u0426\u041f\u0420\u00bb \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430 9.5 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0432\u0435\u0440\u0441\u0438\u0439 Git \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Microsoft Visual Studio, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u0441\u0441\u044b\u043b\u043a\u0438 \u043f\u0435\u0440\u0435\u0434 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u043a \u0444\u0430\u0439\u043b\u0443 (CWE-59), \u041a\u043e\u043d\u0444\u043b\u0438\u043a\u0442 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0438\u0439 (CWE-436)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044f \u0432\u0435\u0440\u0441\u0438\u0439 Git \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Microsoft Visual Studio \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0437\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u0435\u043c \u043a\u043e\u043d\u0444\u043b\u0438\u043a\u0442\u0430 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0438\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445, \u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48385\n\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://wiki.astralinux.ru/astra-linux-se18-bulletin-2025-0811SE18\nhttps://t.me/c/1627154862/199213\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-0923SE17\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.14/\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1020SE47\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-3019\nhttps://errata.msvsphere-os.ru/definition/9/INFCSA-2025:11462?lang=ru\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-59, CWE-436",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8)"
}
bit-git-2025-48384
Vulnerability from bitnami_vulndb
Published
2025-07-10 05:40
Modified
2025-11-06 13:25
Summary
Git allows arbitrary code execution through broken config quoting
Details
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "git",
"purl": "pkg:bitnami/git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.50.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2025-48384"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:git:git:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.",
"id": "BIT-git-2025-48384",
"modified": "2025-11-06T13:25:46.476Z",
"published": "2025-07-10T05:40:36.268Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48384"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48384"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/60"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/08/4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00003.html"
}
],
"schema_version": "1.6.2",
"summary": "Git allows arbitrary code execution through broken config quoting"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…