ID CVE-2018-17456
Summary Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
References
Vulnerable Configurations
  • cpe:2.3:a:git-scm:git:2.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.3:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.14.4:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.14.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.15.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.3:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.16.4:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.16.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.17.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.17.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.17.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.17.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.17.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.17.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.17.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 22-04-2019 - 17:48)
Impact:
Exploitability:
CWE CWE-88
CAPEC
  • Parameter Injection
    An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.
  • Flash Parameter Injection
    An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document. These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document. The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.
  • Using Meta-characters in E-mail Headers to Inject Malicious Payloads
    This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
  • HTTP Parameter Pollution (HPP)
    An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1636619
    title CVE-2018-17456 git: arbitrary code execution via .gitmodules
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment emacs-git is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408031
        • comment emacs-git is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003012
      • AND
        • comment emacs-git-el is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408033
        • comment emacs-git-el is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003024
      • AND
        • comment git is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408009
        • comment git is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003006
      • AND
        • comment git-all is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408015
        • comment git-all is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003028
      • AND
        • comment git-bzr is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408029
        • comment git-bzr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152561020
      • AND
        • comment git-cvs is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408017
        • comment git-cvs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003014
      • AND
        • comment git-daemon is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408005
        • comment git-daemon is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003026
      • AND
        • comment git-email is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408019
        • comment git-email is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003010
      • AND
        • comment git-gnome-keyring is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408011
        • comment git-gnome-keyring is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20183408012
      • AND
        • comment git-gui is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408035
        • comment git-gui is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003022
      • AND
        • comment git-hg is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408027
        • comment git-hg is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152561026
      • AND
        • comment git-instaweb is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408039
        • comment git-instaweb is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20183408040
      • AND
        • comment git-p4 is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408025
        • comment git-p4 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152561036
      • AND
        • comment git-svn is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408007
        • comment git-svn is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003020
      • AND
        • comment gitk is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408021
        • comment gitk is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003008
      • AND
        • comment gitweb is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408023
        • comment gitweb is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003018
      • AND
        • comment perl-Git is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408037
        • comment perl-Git is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20101003016
      • AND
        • comment perl-Git-SVN is earlier than 0:1.8.3.1-20.el7
          oval oval:com.redhat.rhsa:tst:20183408013
        • comment perl-Git-SVN is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152561018
    rhsa
    id RHSA-2018:3408
    released 2018-10-30
    severity Important
    title RHSA-2018:3408: git security update (Important)
  • rhsa
    id RHSA-2018:3505
  • rhsa
    id RHSA-2018:3541
rpms
  • emacs-git-0:1.8.3.1-20.el7
  • emacs-git-el-0:1.8.3.1-20.el7
  • git-0:1.8.3.1-20.el7
  • git-all-0:1.8.3.1-20.el7
  • git-bzr-0:1.8.3.1-20.el7
  • git-cvs-0:1.8.3.1-20.el7
  • git-daemon-0:1.8.3.1-20.el7
  • git-email-0:1.8.3.1-20.el7
  • git-gnome-keyring-0:1.8.3.1-20.el7
  • git-gui-0:1.8.3.1-20.el7
  • git-hg-0:1.8.3.1-20.el7
  • git-instaweb-0:1.8.3.1-20.el7
  • git-p4-0:1.8.3.1-20.el7
  • git-svn-0:1.8.3.1-20.el7
  • gitk-0:1.8.3.1-20.el7
  • gitweb-0:1.8.3.1-20.el7
  • perl-Git-0:1.8.3.1-20.el7
  • perl-Git-SVN-0:1.8.3.1-20.el7
refmap via4
bid
  • 105523
  • 107511
bugtraq 20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
debian DSA-4311
exploit-db
  • 45548
  • 45631
misc
sectrack 1041811
ubuntu USN-3791-1
Last major update 22-04-2019 - 17:48
Published 06-10-2018 - 14:29
Last modified 24-08-2020 - 17:37
Back to Top