CVE-2018-17456
Published: 6 October 2018
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
Priority
Status
Package | Release | Status |
---|---|---|
git Launchpad, Ubuntu, Debian |
upstream |
Released
(1:2.19.1-1)
|
xenial |
Released
(1:2.7.4-0ubuntu1.5)
|
|
bionic |
Released
(1:2.17.1-1ubuntu0.3)
|
|
trusty |
Released
(1:1.9.1-1ubuntu0.9)
|
|
Patches: upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=98afac7a7cefdca0d2c4917dd8066a59f7088265 upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=f6adec4e329ef0e25e14c63b735a5956dc67b8bc upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=273c61496f88c6495b886acb1041fe57965151da upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46 upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |