CVE-2018-17456
- Source
- https://cve.org/CVERecord?id=CVE-2018-17456
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17456.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-17456
- Downstream
- Related
- Published
- 2018-10-06T14:29:00.300Z
- Modified
- 2026-03-15T22:20:00.497394Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://marc.info/?l=git&m=153875888916397&w=2
- https://www.openwall.com/lists/oss-security/2018/10/06/3
- http://www.securityfocus.com/bid/105523
- https://access.redhat.com/errata/RHSA-2018:3408
- https://usn.ubuntu.com/3791-1/
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- https://access.redhat.com/errata/RHSA-2018:3505
- https://access.redhat.com/errata/RHSA-2020:0316
- https://seclists.org/bugtraq/2019/Mar/30
- http://www.securityfocus.com/bid/107511
- https://www.debian.org/security/2018/dsa-4311
- http://www.securitytracker.com/id/1041811
- https://access.redhat.com/errata/RHSA-2018:3541
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://www.exploit-db.com/exploits/45631/
- https://www.exploit-db.com/exploits/45548/
Affected packages
Git / github.com/git/git
Affected ranges
- Type
- GIT
- Repo
- https://github.com/git/git
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixedFixed
- Database specific
{ "versions": [ { "introduced": "2.14.0" }, { "fixed": "2.14.5" }, { "introduced": "2.15.0" }, { "fixed": "2.15.3" }, { "introduced": "2.16.0" }, { "fixed": "2.16.5" }, { "introduced": "2.17.0" }, { "fixed": "2.17.2" }, { "introduced": "2.18.0" }, { "fixed": "2.18.1" }, { "introduced": "2.19.0" }, { "fixed": "2.19.1" } ] }
Affected versions
v2.*
v2.10.4
v2.10.5
v2.11.3
v2.11.4
v2.12.4
v2.12.5
v2.13.5
v2.13.6
v2.13.7
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.7.6
v2.8.6
v2.9.5
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17456.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
}
]
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2018-17456-2df45b27",
"source": "https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404",
"signature_version": "v1",
"target": {
"function": "fsck_gitmodules_fn",
"file": "fsck.c"
},
"deprecated": false,
"digest": {
"function_hash": "280767856758277171414092295284574468787",
"length": 653.0
}
},
{
"signature_type": "Function",
"id": "CVE-2018-17456-6395f845",
"source": "https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46",
"signature_version": "v1",
"target": {
"function": "fsck_gitmodules_fn",
"file": "fsck.c"
},
"deprecated": false,
"digest": {
"function_hash": "74687755865234334360883501852567920378",
"length": 464.0
}
},
{
"signature_type": "Line",
"id": "CVE-2018-17456-f3198db8",
"source": "https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404",
"signature_version": "v1",
"target": {
"file": "fsck.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"61187277327173978608487490955699247805",
"322478933031989535159482901598085121490",
"105640845193175585999041621410241546937",
"320863403475869972817195883113195046675",
"112056197659761133531585212977590424954",
"186663816293050747954242156545984267682",
"206904128480667008530182138888978574630",
"191728292391714541701984138567608141284"
]
}
},
{
"signature_type": "Line",
"id": "CVE-2018-17456-ff58f248",
"source": "https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46",
"signature_version": "v1",
"target": {
"file": "fsck.c"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"217918380924176957102810654075341599196",
"117753730928290908950277960920988579234",
"238564133705298630809711888480831625193",
"40793998524149642212331206026820467726",
"131744534305363149181561143635993325041",
"118269845443441089115293841204093565177",
"154178865154027729581994095520201329671",
"45981377794252269677761437338334550314"
]
}
}
]