CVE-2018-17456

CVE-2018-17456

Name

CVE-2018-17456

Description

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mailing List	https://www.openwall.com/lists/oss-security/2018/10/06/3
Third Party Advisory	https://marc.info/?l=git&m=153875888916397&w=2
Patch	https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
Patch	https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
Third Party Advisory	https://www.debian.org/security/2018/dsa-4311
Exploit	https://www.exploit-db.com/exploits/45548/
Third Party Advisory	http://www.securitytracker.com/id/1041811
Third Party Advisory	http://www.securityfocus.com/bid/105523
Third Party Advisory	https://usn.ubuntu.com/3791-1/
Exploit	https://www.exploit-db.com/exploits/45631/
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3408
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3505
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3541
Mailing List	https://seclists.org/bugtraq/2019/Mar/30
VDB Entry	http://www.securityfocus.com/bid/107511
Third Party Advisory	http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
REDHAT	https://access.redhat.com/errata/RHSA-2020:0316
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html

Type

URI

Mailing List

https://www.openwall.com/lists/oss-security/2018/10/06/3

Third Party Advisory

https://marc.info/?l=git&m=153875888916397&w=2

Patch

https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46

Patch

https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404

Third Party Advisory

https://www.debian.org/security/2018/dsa-4311

Exploit

https://www.exploit-db.com/exploits/45548/

Third Party Advisory

http://www.securitytracker.com/id/1041811

Third Party Advisory

http://www.securityfocus.com/bid/105523

Third Party Advisory

https://usn.ubuntu.com/3791-1/

Exploit

https://www.exploit-db.com/exploits/45631/

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3408

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3505

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3541

Mailing List

https://seclists.org/bugtraq/2019/Mar/30

VDB Entry

http://www.securityfocus.com/bid/107511

Third Party Advisory

http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html

REDHAT

https://access.redhat.com/errata/RHSA-2020:0316

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.14.0	< 2.14.5
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.19.0	< 2.19.1
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.18.0	< 2.18.1
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.17.0	< 2.17.2
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.16.0	< 2.16.5
`cpe:2.3:a:git-scm:git::::::::`	git	>= 2.15.0	< 2.15.3

CPE URI

Source package

Min version

Max version