gsd-2015-8968
Vulnerability from gsd
Modified
2015-12-11 00:00
Details
Git allows executing arbitrary shell commands using git-remote-ext via a remote URLs. Normally git never requests URLs that the user doesn't specifically request, so this is not a serious security concern. However, submodules did allow the remote repository to specify what URL to clone from. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.
Aliases
Aliases
CVE-2015-8968


To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-8968",
    "description": "git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.",
    "id": "GSD-2015-8968"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "git-fastclone",
            "purl": "pkg:gem/git-fastclone"
          }
        }
      ],
      "aliases": [
        "CVE-2015-8968",
        "GHSA-8gg6-3r63-25m8"
      ],
      "details": "Git allows executing arbitrary shell commands using git-remote-ext via a\nremote URLs. Normally git never requests URLs that the user doesn\u0027t\nspecifically request, so this is not a serious security concern. However,\nsubmodules did allow the remote repository to specify what URL to clone\nfrom.\n\nIf an attacker can instruct a user to run a recursive clone from a\nrepository they control, they can get a client to run an arbitrary shell\ncommand. Alternately, if an attacker can MITM an unencrypted git clone,\nthey could exploit this. The ext command will be run if the repository is\nrecursively cloned or if submodules are updated. This attack works when\ncloning both local and remote repositories.\n",
      "id": "GSD-2015-8968",
      "modified": "2015-12-11T00:00:00.000Z",
      "published": "2015-12-11T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://hackerone.com/reports/104465"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 8.8,
          "type": "CVSS_V3"
        }
      ],
      "summary": "git-fastclone permits arbitrary shell command execution from .gitmodules"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2015-8968",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "git-fastclone ruby gem All versions before 1.0.1",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "git-fastclone ruby gem All versions before 1.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Arbitrary Command Execution"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/104465",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/104465"
          },
          {
            "name": "81433",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/81433"
          },
          {
            "name": "https://github.com/square/git-fastclone/pull/2",
            "refsource": "MISC",
            "url": "https://github.com/square/git-fastclone/pull/2"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-8968",
      "cvss_v3": 8.8,
      "date": "2015-12-11",
      "description": "Git allows executing arbitrary shell commands using git-remote-ext via a\nremote URLs. Normally git never requests URLs that the user doesn\u0027t\nspecifically request, so this is not a serious security concern. However,\nsubmodules did allow the remote repository to specify what URL to clone\nfrom.\n\nIf an attacker can instruct a user to run a recursive clone from a\nrepository they control, they can get a client to run an arbitrary shell\ncommand. Alternately, if an attacker can MITM an unencrypted git clone,\nthey could exploit this. The ext command will be run if the repository is\nrecursively cloned or if submodules are updated. This attack works when\ncloning both local and remote repositories.\n",
      "gem": "git-fastclone",
      "ghsa": "8gg6-3r63-25m8",
      "patched_versions": [
        "\u003e= 1.0.1"
      ],
      "title": "git-fastclone permits arbitrary shell command execution from .gitmodules",
      "url": "https://hackerone.com/reports/104465"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.0.1",
          "affected_versions": "All versions before 1.0.1",
          "credit": "Blake Burkhart",
          "cvss_v2": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-77",
            "CWE-937"
          ],
          "date": "2016-11-28",
          "description": " Git allows executing arbitrary shell commands using `git-remote-ext` via remote\nURLs. Normally git never requests URLs that the user does not specifically request, so this is not a serious security concern. However, submodules did allow the remote repository to specify what URL to clone from. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.",
          "fixed_versions": [
            "1.0.1"
          ],
          "identifier": "CVE-2015-8968",
          "identifiers": [
            "CVE-2015-8968"
          ],
          "not_impacted": "All versions starting from 1.0.1",
          "package_slug": "gem/git-fastclone",
          "pubdate": "2016-11-03",
          "solution": "Upgrade to version 1.0.1 or above.",
          "title": "Arbitrary shell command execution from .gitmodules",
          "urls": [
            "https://github.com/square/git-fastclone/pull/2",
            "https://hackerone.com/reports/104465"
          ],
          "uuid": "4fe98f18-52d8-4aeb-8412-180c715ab574"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:squareup:git-fastclone:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2015-8968"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-77"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/square/git-fastclone/pull/2",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/square/git-fastclone/pull/2"
            },
            {
              "name": "https://hackerone.com/reports/104465",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/104465"
            },
            {
              "name": "81433",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/81433"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-06-10T13:24Z",
      "publishedDate": "2016-11-03T10:59Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.