QwikSec

Security Database

CVE

CWE

Training

CVE-2018-11235

Published: May 30, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

exploit

x_refsource_EXPLOIT-DB

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_UBUNTU

https://marc.info/?l=git&m=152761328506724&w=2

x_refsource_MISC

vdb-entry

x_refsource_SECTRACK

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_GENTOO

vdb-entry

x_refsource_BID

https://blogs.msdn.microsoft.com/devops/2018/05/29/announcing-the-may-2018-git-security-vulnerability/

x_refsource_MISC

vendor-advisory

x_refsource_DEBIAN

openSUSE-SU-2020:0598

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.