vulnerability
Arch Linux: Arbitrary code execution (CVE-2019-1349)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Jan 24, 2020 | Jul 11, 2025 | Nov 27, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Jan 24, 2020
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
A security issue has been found in git before 2.24.1 when using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.
Solution
arch-linux-upgrade-latest
References
- CVE-2019-1349
- https://attackerkb.com/topics/CVE-2019-1349
- URL-http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
- URL-http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- URL-https://access.redhat.com/errata/RHSA-2020:0228
- URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349
- URL-https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
- URL-https://security.archlinux.org/ASA-201912-5
- URL-https://security.archlinux.org/ASA-201912-6
- URL-https://security.gentoo.org/glsa/202003-30
- CWE-20
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.