CVE-2018-17456

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105523 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/107511 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041811 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:3408 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3505 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3541 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0316
https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 Patch Third Party Advisory
https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 Patch Third Party Advisory
https://marc.info/?l=git&m=153875888916397&w=2 Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/30 Mailing List Third Party Advisory
https://usn.ubuntu.com/3791-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4311 Third Party Advisory
https://www.exploit-db.com/exploits/45548/ Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45631/ Exploit Third Party Advisory VDB Entry
https://www.openwall.com/lists/oss-security/2018/10/06/3 Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105523 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/107511 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041811 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:3408 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3505 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3541 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0316
https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 Patch Third Party Advisory
https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 Patch Third Party Advisory
https://marc.info/?l=git&m=153875888916397&w=2 Third Party Advisory
https://seclists.org/bugtraq/2019/Mar/30 Mailing List Third Party Advisory
https://usn.ubuntu.com/3791-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4311 Third Party Advisory
https://www.exploit-db.com/exploits/45548/ Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/45631/ Exploit Third Party Advisory VDB Entry
https://www.openwall.com/lists/oss-security/2018/10/06/3 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 4 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:54

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html - () http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html -
References () http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/105523 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/105523 - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/107511 - VDB Entry, Third Party Advisory () http://www.securityfocus.com/bid/107511 - Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1041811 - Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1041811 - Third Party Advisory, VDB Entry
References () https://access.redhat.com/errata/RHSA-2018:3408 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:3408 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:3505 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:3505 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2018:3541 - Third Party Advisory () https://access.redhat.com/errata/RHSA-2018:3541 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2020:0316 - () https://access.redhat.com/errata/RHSA-2020:0316 -
References () https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 - Patch, Third Party Advisory () https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 - Patch, Third Party Advisory
References () https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 - Patch, Third Party Advisory () https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 - Patch, Third Party Advisory
References () https://marc.info/?l=git&m=153875888916397&w=2 - Third Party Advisory () https://marc.info/?l=git&m=153875888916397&w=2 - Third Party Advisory
References () https://seclists.org/bugtraq/2019/Mar/30 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/Mar/30 - Mailing List, Third Party Advisory
References () https://usn.ubuntu.com/3791-1/ - Third Party Advisory () https://usn.ubuntu.com/3791-1/ - Third Party Advisory
References () https://www.debian.org/security/2018/dsa-4311 - Third Party Advisory () https://www.debian.org/security/2018/dsa-4311 - Third Party Advisory
References () https://www.exploit-db.com/exploits/45548/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/45548/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.exploit-db.com/exploits/45631/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/45631/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.openwall.com/lists/oss-security/2018/10/06/3 - Mailing List, Third Party Advisory () https://www.openwall.com/lists/oss-security/2018/10/06/3 - Mailing List, Third Party Advisory

Information

Published : 2018-10-06 14:29

Updated : 2024-11-21 03:54


NVD link : CVE-2018-17456

Mitre link : CVE-2018-17456

CVE.ORG link : CVE-2018-17456


JSON object : View

Products Affected

debian

  • debian_linux

redhat

  • enterprise_linux_server_tus
  • ansible_tower
  • enterprise_linux_server_aus
  • enterprise_linux_workstation
  • enterprise_linux_server_eus
  • enterprise_linux_server
  • enterprise_linux
  • enterprise_linux_desktop

canonical

  • ubuntu_linux

git-scm

  • git
CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')