Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygwin | cygwin | * |
Cygwin versions 1.7.2 up to and including 1.8.0 are vulnerable to buffer overflow vulnerability in wcsxfrm/wcsxfrm_l functions resulting into denial-of-service by crashing the process or potential hijack of the process running with administrative privileges triggered by specially crafted input string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygwin | cygwin | 1.7.14 |
| cygwin | cygwin | 1.7.32 |
| cygwin | cygwin | 1.7.26 |
| cygwin | cygwin | 1.7.10 |
| cygwin | cygwin | 1.7.21 |
| cygwin | cygwin | 1.7.28 |
| cygwin | cygwin | 1.7.33 |
| cygwin | cygwin | 1.7.29 |
| cygwin | cygwin | 1.7.9 |
| cygwin | cygwin | 1.7.19 |
| cygwin | cygwin | 1.7.22 |
| cygwin | cygwin | 1.7.24 |
| cygwin | cygwin | 1.7.12 |
| cygwin | cygwin | 1.7.25 |
| cygwin | cygwin | 1.7.27 |
| cygwin | cygwin | 1.7.3 |
| cygwin | cygwin | 1.7.13 |
| cygwin | cygwin | 1.7.8 |
| cygwin | cygwin | 1.7.17 |
| cygwin | cygwin | 1.8.0 |
| cygwin | cygwin | 1.7.34 |
| cygwin | cygwin | 1.7.23 |
| cygwin | cygwin | 1.7.31 |
| cygwin | cygwin | 1.7.15 |
| cygwin | cygwin | 1.7.16 |
| cygwin | cygwin | 1.7.5 |
| cygwin | cygwin | 1.7.11 |
| cygwin | cygwin | 1.7.2 |
| cygwin | cygwin | 1.7.7 |
| cygwin | cygwin | 1.7.18 |
| cygwin | cygwin | 1.7.35 |
| cygwin | cygwin | 1.7.6 |
Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| security-advisories@github.com | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygwin | git | * |