CVE-2018-17456

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html

http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html

http://www.securityfocus.com/bid/105523

http://www.securityfocus.com/bid/107511

http://www.securitytracker.com/id/1041811

https://access.redhat.com/errata/RHSA-2018:3408

https://access.redhat.com/errata/RHSA-2018:3505

https://access.redhat.com/errata/RHSA-2018:3541

https://access.redhat.com/errata/RHSA-2020:0316

https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404

https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46

https://marc.info/?l=git&m=153875888916397&w=2

https://seclists.org/bugtraq/2019/Mar/30

https://usn.ubuntu.com/3791-1/

https://www.debian.org/security/2018/dsa-4311

https://www.exploit-db.com/exploits/45548/

https://www.exploit-db.com/exploits/45631/

https://www.openwall.com/lists/oss-security/2018/10/06/3

Details

Source: MITRE

Published: 2018-10-06

Updated: 2020-08-24

Type: CWE-88

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (42 total)

IDNameProductFamilySeverity
136311openSUSE Security Update : git (openSUSE-2020-598)NessusSuSE Local Security Checks
high
136074SUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2020:1121-1)NessusSuSE Local Security Checks
high
135580SUSE SLES12 Security Update : git (SUSE-SU-2020:0992-1)NessusSuSE Local Security Checks
high
134311NewStart CGSL MAIN 4.05 : git Vulnerability (NS-SA-2020-0023)NessusNewStart CGSL Local Security Checks
critical
133447Scientific Linux Security Update : git on SL6.x i386/x86_64 (20200203)NessusScientific Linux Local Security Checks
critical
133445RHEL 6 : git (RHSA-2020:0316)NessusRed Hat Local Security Checks
critical
133444Oracle Linux 6 : git (ELSA-2020-0316)NessusOracle Linux Local Security Checks
critical
133442CentOS 6 : git (CESA-2020:0316)NessusCentOS Local Security Checks
critical
131881EulerOS 2.0 SP2 : git (EulerOS-SA-2019-2389)NessusHuawei Local Security Checks
critical
131125Photon OS 2.0: Git PHSA-2019-2.0-0185NessusPhotonOS Local Security Checks
critical
129578SUSE SLES12 Security Update : git (SUSE-SU-2018:4088-3)NessusSuSE Local Security Checks
critical
127228NewStart CGSL CORE 5.04 / MAIN 5.04 : git Vulnerability (NS-SA-2019-0047)NessusNewStart CGSL Local Security Checks
critical
124923EulerOS Virtualization 3.0.1.0 : git (EulerOS-SA-2019-1420)NessusHuawei Local Security Checks
critical
124411Atlassian SourceTree 1.2 < 3.1.1 Multiple remote code execution vulnerabilitiesNessusMacOS X Local Security Checks
high
124387EulerOS 2.0 SP5 : git (EulerOS-SA-2019-1291)NessusHuawei Local Security Checks
critical
123869EulerOS Virtualization 2.5.3 : git (EulerOS-SA-2019-1183)NessusHuawei Local Security Checks
critical
123403openSUSE Security Update : libgit2 (openSUSE-2019-986)NessusSuSE Local Security Checks
critical
123340openSUSE Security Update : git (openSUSE-2019-802)NessusSuSE Local Security Checks
critical
122854Atlassian SourceTree 0.5a < 3.0.17 Multiple remote code execution vulnerabilitiesNessusWindows
high
120698Fedora 29 : libgit2 (2018-abfd4c6ac3)NessusFedora Local Security Checks
critical
120381Fedora 28 : libgit2 (2018-42eab0f5b9)NessusFedora Local Security Checks
critical
120268Fedora 28 : git (2018-1c1a318a0b)NessusFedora Local Security Checks
critical
120213Fedora 29 : git (2018-06090dff59)NessusFedora Local Security Checks
critical
120182SUSE SLED15 / SLES15 Security Update : libgit2 (SUSE-SU-2018:4009-1)NessusSuSE Local Security Checks
critical
120129SUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2018:3150-1)NessusSuSE Local Security Checks
critical
119649SUSE SLES12 Security Update : git (SUSE-SU-2018:4088-1)NessusSuSE Local Security Checks
critical
119546openSUSE Security Update : libgit2 (openSUSE-2018-1517)NessusSuSE Local Security Checks
critical
119516EulerOS 2.0 SP3 : git (EulerOS-SA-2018-1388)NessusHuawei Local Security Checks
critical
119206Scientific Linux Security Update : git on SL7.x x86_64 (20181031)NessusScientific Linux Local Security Checks
critical
119046CentOS 7 : git (CESA-2018:3408)NessusCentOS Local Security Checks
critical
118859Oracle Linux 7 : git (ELSA-2018-3408)NessusOracle Linux Local Security Checks
critical
118555RHEL 7 : git (RHSA-2018:3408)NessusRed Hat Local Security Checks
critical
118400Amazon Linux 2 : git (ALAS-2018-1093)NessusAmazon Linux Local Security Checks
critical
118244Fedora 27 : git (2018-d5139c4fd6)NessusFedora Local Security Checks
critical
118213Amazon Linux AMI : git (ALAS-2018-1093)NessusAmazon Linux Local Security Checks
critical
118169openSUSE Security Update : git (openSUSE-2018-1177)NessusSuSE Local Security Checks
critical
118124FreeBSD : Libgit2 -- multiple vulnerabilities (8c08ab4c-d06c-11e8-b35c-001b217b3468)NessusFreeBSD Local Security Checks
critical
118113openSUSE Security Update : git (openSUSE-2018-1147)NessusSuSE Local Security Checks
critical
118103Fedora 27 : libgit2 (2018-7d993184f6)NessusFedora Local Security Checks
critical
118083Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Git vulnerability (USN-3791-1)NessusUbuntu Local Security Checks
critical
118059Slackware 14.0 / 14.1 / 14.2 / current : git (SSA:2018-283-01)NessusSlackware Local Security Checks
critical
117957Debian DSA-4311-1 : git - security updateNessusDebian Local Security Checks
critical