A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka Git for Visual Studio Tampering Vulnerability.
Weakness
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Visual_studio_2017 | Microsoft | 15.0 (including) | 15.9.18 (excluding) |
| Visual_studio_2019 | Microsoft | 16.0 (including) | 16.4.1 (excluding) |
| Git | Ubuntu | bionic | * |
| Git | Ubuntu | devel | * |
| Git | Ubuntu | disco | * |
| Git | Ubuntu | eoan | * |
| Git | Ubuntu | esm-infra/bionic | * |
| Git | Ubuntu | esm-infra/xenial | * |
| Git | Ubuntu | trusty | * |
| Git | Ubuntu | upstream | * |
| Git | Ubuntu | xenial | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/159.html
- https://cwe.mitre.org/data/definitions/177.html
- https://cwe.mitre.org/data/definitions/48.html
- https://cwe.mitre.org/data/definitions/641.html
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351
- https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
- https://security.gentoo.org/glsa/202003-30
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351
- https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
- https://security.gentoo.org/glsa/202003-30