CVE-2021-40330

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
git-scmgit
𝑥
< 2.30.1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
git
bookworm
1:2.39.2-1.1
fixed
bookworm (security)
1:2.39.5-0+deb12u1
fixed
bullseye
1:2.30.2-1+deb11u2
no-dsa
bullseye (security)
1:2.30.2-1+deb11u3
fixed
sid
1:2.45.2-1.1
fixed
stretch
no-dsa
trixie
1:2.45.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git
bionic
Fixed 1:2.17.1-1ubuntu0.9
released
focal
Fixed 1:2.25.1-1ubuntu3.2
released
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
dne
xenial
Fixed 1:2.7.4-0ubuntu1.10+esm1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
git
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-arch
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-core
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
git-cvs
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-daemon
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-doc
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-email
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-gui
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-svn
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
git-web
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
gitk
suse enterprise desktop 15 SP2
2.26.2-33.1
fixed
suse enterprise sap 12 SP5
2.26.2-27.49.3
fixed
suse enterprise sap 15 SP2
2.26.2-33.1
fixed
suse enterprise server 12 SP3
2.26.2-27.49.3
fixed
suse enterprise server 12 SP5
2.26.2-27.49.3
fixed
suse enterprise server 15 SP2
2.26.2-33.1
fixed
References
https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
https://github.com/git/git/compare/v2.30.0...v2.30.1
https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html
https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
https://github.com/git/git/compare/v2.30.0...v2.30.1
https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html