MidnightBSD

Advisories for cygwin

CVE-2016-3067 HIGH

Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
cygwin cygwin *
CVE-2017-7523 MEDIUM

Cygwin versions 1.7.2 up to and including 1.8.0 are vulnerable to buffer overflow vulnerability in wcsxfrm/wcsxfrm_l functions resulting into denial-of-service by crashing the process or potential hijack of the process running with administrative privileges triggered by specially crafted input string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-119,

Products Affected

Vendor Product Version
cygwin cygwin 1.7.14
cygwin cygwin 1.7.32
cygwin cygwin 1.7.26
cygwin cygwin 1.7.10
cygwin cygwin 1.7.21
cygwin cygwin 1.7.28
cygwin cygwin 1.7.33
cygwin cygwin 1.7.29
cygwin cygwin 1.7.9
cygwin cygwin 1.7.19
cygwin cygwin 1.7.22
cygwin cygwin 1.7.24
cygwin cygwin 1.7.12
cygwin cygwin 1.7.25
cygwin cygwin 1.7.27
cygwin cygwin 1.7.3
cygwin cygwin 1.7.13
cygwin cygwin 1.7.8
cygwin cygwin 1.7.17
cygwin cygwin 1.8.0
cygwin cygwin 1.7.34
cygwin cygwin 1.7.23
cygwin cygwin 1.7.31
cygwin cygwin 1.7.15
cygwin cygwin 1.7.16
cygwin cygwin 1.7.5
cygwin cygwin 1.7.11
cygwin cygwin 1.7.2
cygwin cygwin 1.7.7
cygwin cygwin 1.7.18
cygwin cygwin 1.7.35
cygwin cygwin 1.7.6
CVE-2021-29468 MEDIUM

Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security-advisories@github.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
cygwin git *