CVE-2018-17456
First published: Fri Oct 05 2018(Updated: )
A flaw was found in git which allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with --recurse-submodules. References: <a href="https://bugzilla.novell.com/show_bug.cgi?id=1110949">https://bugzilla.novell.com/show_bug.cgi?id=1110949</a> <a href="https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08">https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/git | <2.14.5 | 2.14.5 |
| redhat/git | <2.15.3 | 2.15.3 |
| redhat/git | <2.16.5 | 2.16.5 |
| redhat/git | <2.17.2 | 2.17.2 |
| redhat/git | <2.18.1 | 2.18.1 |
| redhat/git | <2.19.1 | 2.19.1 |
| ubuntu/git | <1:2.17.1-1ubuntu0.3 | 1:2.17.1-1ubuntu0.3 |
| ubuntu/git | <1:1.9.1-1ubuntu0.9 | 1:1.9.1-1ubuntu0.9 |
| ubuntu/git | <1:2.19.1-1 | 1:2.19.1-1 |
| ubuntu/git | <1:2.7.4-0ubuntu1.5 | 1:2.7.4-0ubuntu1.5 |
| debian/git | 1:2.30.2-1+deb11u2 1:2.39.2-1.1 1:2.43.0-1 1:2.45.2-1 | |
| Git Git-shell | >=2.14.0<2.14.5 | |
| Git Git-shell | >=2.15.0<2.15.3 | |
| Git Git-shell | >=2.16.0<2.16.5 | |
| Git Git-shell | >=2.17.0<2.17.2 | |
| Git Git-shell | >=2.18.0<2.18.1 | |
| Git Git-shell | >=2.19.0<2.19.1 | |
| Red Hat Ansible Tower | =3.3 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =6.7 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =7.3 | |
| Red Hat Enterprise Linux | =7.4 | |
| Red Hat Enterprise Linux | =7.5 | |
| Red Hat Enterprise Linux | =7.6 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server aus | =7.6 | |
| redhat enterprise Linux server eus | =7.6 | |
| redhat enterprise Linux server tus | =7.6 | |
| redhat enterprise Linux workstation | =7.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Debian | =9.0 |
Remedy
https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265
Remedy
https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc
Remedy
https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da
Remedy
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
Remedy
https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://www.securityfocus.com/bid/105523
- http://www.securityfocus.com/bid/107511
- http://www.securitytracker.com/id/1041811
- https://access.redhat.com/errata/RHSA-2018:3408
- https://access.redhat.com/errata/RHSA-2018:3505
- https://access.redhat.com/errata/RHSA-2018:3541
- https://access.redhat.com/errata/RHSA-2020:0316
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://marc.info/?l=git&m=153875888916397&w=2
- https://seclists.org/bugtraq/2019/Mar/30
- https://usn.ubuntu.com/3791-1/
- https://www.debian.org/security/2018/dsa-4311
- https://www.exploit-db.com/exploits/45548/
- https://www.exploit-db.com/exploits/45631/
- https://www.openwall.com/lists/oss-security/2018/10/06/3
- https://marc.info/?l=git&m=153875888916397&w=2
- https://launchpad.net/bugs/cve/CVE-2018-17456
- https://bugzilla.novell.com/show_bug.cgi?id=1110949
- https://groups.google.com/forum/#!topic/git-packagers/fNLXf6LQC08
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1636620
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1636621
- https://github.com/git/git/commit/98afac7a7cefdca0d2c4917dd8066a59f7088265
- https://github.com/git/git/commit/f6adec4e329ef0e25e14c63b735a5956dc67b8bc
- https://github.com/git/git/commit/273c61496f88c6495b886acb1041fe57965151da
- https://bugzilla.redhat.com/show_bug.cgi?id=1636619
- https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://security-tracker.debian.org/tracker/CVE-2018-17456
- https://ubuntu.com/security/notices/USN-3791-1
- https://www.cve.org/CVERecord?id=CVE-2018-17456
- https://nvd.nist.gov/vuln/detail/CVE-2018-17456
- https://ubuntu.com/security/CVE-2018-17456
Frequently Asked Questions
What is CVE-2018-17456?
CVE-2018-17456 is a vulnerability in Git that allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
What is the severity of CVE-2018-17456?
The severity of CVE-2018-17456 is critical (9.8).
Which software versions are affected by CVE-2018-17456?
Git versions before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 are affected by CVE-2018-17456.
How can I fix CVE-2018-17456?
To fix CVE-2018-17456, you should update Git to version 2.14.5 or later.
Where can I find more information about CVE-2018-17456?
You can find more information about CVE-2018-17456 at the following references: [http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html), [http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html](http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html), [http://www.securityfocus.com/bid/105523](http://www.securityfocus.com/bid/105523).
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-17456
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian
- vendor/git-scm
- canonical/git git-shell
- version/git git-shell/2.14.0
- version/git git-shell/2.15.0
- version/git git-shell/2.16.0
- version/git git-shell/2.17.0
- version/git git-shell/2.18.0
- version/git git-shell/2.19.0
- vendor/redhat
- canonical/red hat ansible tower
- version/red hat ansible tower/3.3
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/6.7
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/7.3
- version/red hat enterprise linux/7.4
- version/red hat enterprise linux/7.5
- version/red hat enterprise linux/7.6
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- vendor/debian
- canonical/debian
- version/debian/9.0