Описание
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
Меры по смягчению последствий
Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable ("e.g. by specifying --recursive").
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | git | Not affected | ||
| Red Hat Enterprise Linux 7 | git | Fixed | RHSA-2015:2561 | 08.12.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS | git19-git | Fixed | RHSA-2015:2515 | 25.11.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS2
Связанные уязвимости
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
The (1) git-remote-ext and (2) unspecified other remote helper program ...
EPSS
6.8 Medium
CVSS2