Blog Company GitLab not affected by Git vulnerability CVE-2014-9390
Published on: December 19, 2014
2 min read

GitLab not affected by Git vulnerability CVE-2014-9390

GitLab.com, GitLab Community Edition and Enterprise Edition are not directly affected by Git vulnerability CVE-2014-9390.

Blog fallback hero

A critical Git security vulnerability was announced yesterday, that affects all versions of the official Git client. Since this is a client-side only vulnerability, GitLab.com, GitLab Community Edition and GitLab Enterprise Edition are not directly affected.

The vulnerability is present on Git and Git-compatible clients that access Git repositories from a case-insensitive or case-normalizing filesystem. An attacker can create a malicious Git tree that will cause the .git/config directory to be overwritten when cloning or checking out a repository. This enables the attacker to execute arbitrary commands in the client's machine. Git clients running on macOS (HFS+ if not formatted as case-sensitive) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients running in a case-sensitive filesystem are not affected.

We strongly recommend our users to update their Git clients as soon as possible and to be cautious when cloning repositories from untrusted sources.

The following updated versions of Git address this vulnerability:

  • The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).

  • These major Git libraries, libgit2 and JGit, have released maintenance versions with the fix as well.

Please contact us at support.gitlab.comif you have any questions about this issue.

About GitLab

You can try GitLab by downloading the Community Edition and installing it on your own server or by signing up to our free, unlimited GitLab instance GitLab.com.

Check out GitLab Enterprise Edition for deep LDAP integration, git hooks, Jenkins integration and many more powerful enterprise features.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert