OnlyFm252
Visual Studio

CVE-2019-1387 — Git for Visual Studio Remote Code Execution Vulnerability

Critical EPSS 0.04426 2019-12 archive

Executive Summary

A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to convince the user to clone a malicious repo. The security update addresses the vulnerability by correcting how Git for Visual Studio validates command-line input.

Overview

Critical
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Remote Code Execution
Released Dec 10 2019
Last Updated Dec 10 2019
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known
EPSS Score 0.04426 — 0.90114 percentile

EPSS Score

0.04426
probability of exploitation in the next 30 days
0.90114 percentile - updated 2026-06-20
View on FIRST.org

Affected Products

4 affected products
Product KB Article Severity Impact Restart Required
Microsoft Visual Studio 2017 version 15.0 Release Notes (Security Update) Critical Remote Code Execution Maybe
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Release Notes (Security Update) Critical Remote Code Execution Maybe
Microsoft Visual Studio 2019 version 16.0 Release Notes (Security Update) Critical Remote Code Execution Maybe
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Release Notes (Security Update) Critical Remote Code Execution Maybe

Patches

1 patch
Article Type Restart
Release Notes Security Update Maybe

Known Exploits

Acknowledgments

@CTurtE ) and Nicolas Joly (@n_joly) of Microsoft Corporation

On This Page