CVE-2018-17456
critical-risk
Published 2018-10-06
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
Do I need to act?
!
66.2% chance of exploitation in next 30 days
EPSS score — higher than 34% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (19)
References (36)
Third Party Advisory
http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execut...
Third Party Advisory
http://www.securityfocus.com/bid/105523
Third Party Advisory
http://www.securityfocus.com/bid/107511
Third Party Advisory
http://www.securitytracker.com/id/1041811
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3408
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3505
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3541
Third Party Advisory
https://marc.info/?l=git&m=153875888916397&w=2
Mailing List
https://seclists.org/bugtraq/2019/Mar/30
Third Party Advisory
https://usn.ubuntu.com/3791-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4311
Third Party Advisory
http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execut...
and 16 more references
70
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
19/34 · Moderate
Exposure
19/34 · Moderate