Vulnerability CVE-2018-17456: Information

Description

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-17456
Published: Oct. 6, 2018
Modified: Aug. 24, 2020
Error type identifier: CWE-88

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
gitsisyphus2.17.2-alt12.42.1-alt1ALT-PU-2018-2462-1214636Fixed
gitp102.17.2-alt12.33.8-alt1ALT-PU-2018-2462-1214636Fixed
gitp92.17.2-alt12.25.4-alt1ALT-PU-2018-2462-1214636Fixed
gitp82.21.0-alt12.24.1-alt1ALT-PU-2019-1929-1229857Fixed
gitc10f12.17.2-alt12.42.1-alt1ALT-PU-2018-2462-1214636Fixed
gitc9f22.17.2-alt12.33.8-alt1ALT-PU-2018-2462-1214636Fixed
libgit2sisyphus0.26.7-alt11.7.2-alt1ALT-PU-2018-2459-1214671Fixed
libgit2p100.26.7-alt11.3.2-alt1ALT-PU-2018-2459-1214671Fixed
libgit2p90.26.7-alt10.28.3-alt1ALT-PU-2018-2459-1214671Fixed
libgit2c10f10.26.7-alt11.3.2-alt1ALT-PU-2018-2459-1214671Fixed
libgit2c9f20.26.7-alt10.28.3-alt1ALT-PU-2018-2459-1214671Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.openwall.com/lists/oss-security/2018/10/06/3
  • Mailing List
  • Third Party Advisory
https://marc.info/?l=git&m=153875888916397&w=2
  • Third Party Advisory
https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
  • Patch
  • Third Party Advisory
https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
  • Patch
  • Third Party Advisory
DSA-4311
  • Third Party Advisory
45548
  • Exploit
  • Third Party Advisory
  • VDB Entry
1041811
  • Third Party Advisory
  • VDB Entry
105523
  • Third Party Advisory
  • VDB Entry
USN-3791-1
  • Third Party Advisory
45631
  • Exploit
  • Third Party Advisory
  • VDB Entry
RHSA-2018:3408
  • Third Party Advisory
RHSA-2018:3505
  • Third Party Advisory
RHSA-2018:3541
  • Third Party Advisory
20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
  • Mailing List
  • Third Party Advisory
107511
  • VDB Entry
  • Third Party Advisory
http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
  • Third Party Advisory
  • VDB Entry
RHSA-2020:0316
    openSUSE-SU-2020:0598

        1. Configuration 1

          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.19.0
          End excliding
          2.19.1
          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.18.0
          End excliding
          2.18.1
          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.17.0
          End excliding
          2.17.2
          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.16.0
          End excliding
          2.16.5
          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.15.0
          End excliding
          2.15.3
          cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
          Start including
          2.14.0
          End excliding
          2.14.5

          Configuration 2

          cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
          cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*

          Configuration 3

          cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
          cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
          cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

          Configuration 4

          cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.4.2
      Back to top