Описание
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.
Отчет
OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue. In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | git | Not affected | ||
| Red Hat Fuse 7 | camel | Affected | ||
| Red Hat JBoss Fuse 6 | camel | Affected | ||
| Red Hat JBoss Fuse Integration Service 2 | camel | Affected | ||
| Red Hat Mobile Application Platform 4 | fh-scm | Not affected | ||
| Red Hat Software Collections | rh-git218-git | Not affected | ||
| Red Hat Enterprise Linux 6 | git | Fixed | RHSA-2020:0316 | 03.02.2020 |
| Red Hat Enterprise Linux 7 | git | Fixed | RHSA-2018:3408 | 30.10.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-git29-git | Fixed | RHSA-2018:3541 | 13.11.2018 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | rh-git29-git | Fixed | RHSA-2018:3541 | 13.11.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x ...
EPSS
8.8 High
CVSS3