Описание
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
A flaw was discovered where git improperly validates submodules' names used to construct git metadata paths and does not prevent them from being nested in existing directories used to store another submodule's metadata. A remote attacker could abuse this flaw to trick a victim user into cloning a malicious repository containing submodules, which, when recursively cloned, would trigger the flaw and remotely execute code on the victim's machine.
Отчет
This issue did not affect the versions of git as shipped with Red Hat Enterprise Linux 6 as they did not use submodules names to construct git metadata paths.
Меры по смягчению последствий
Avoid running git clone --recurse-submodules and git submodule update with untrusted repositories.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | git | Not affected | ||
| Red Hat Fuse 7 | camel-git | Not affected | ||
| Red Hat JBoss Fuse 6 | camel-git | Not affected | ||
| Red Hat Enterprise Linux 7 | git | Fixed | RHSA-2020:0124 | 16.01.2020 |
| Red Hat Enterprise Linux 8 | git | Fixed | RHSA-2019:4356 | 19.12.2019 |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | git | Fixed | RHSA-2020:0228 | 27.01.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-git218-git | Fixed | RHSA-2020:0002 | 02.01.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | rh-git218-git | Fixed | RHSA-2020:0002 | 02.01.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-git218-git | Fixed | RHSA-2020:0002 | 02.01.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-git218-git | Fixed | RHSA-2020:0002 | 02.01.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v ...
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
EPSS
7.5 High
CVSS3