CVE-2015-7545
published 2016-04-13CVE-2015-7545: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
20.14%
97.1th percentile
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | git | < git 1:2.6.1-1 (bookworm) | git 1:2.6.1-1 (bookworm) |
| git | git | >= 0 < 1:2.6.1-1 | 1:2.6.1-1 |
| git | git | >= 0 < 1:2.6.1-1 | 1:2.6.1-1 |
| git | git | >= 0 < 1:2.6.1-1 | 1:2.6.1-1 |
| git | git | >= 0 < 1:2.6.1-1 | 1:2.6.1-1 |
| git_project | git | <= 2.3.9 | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
| git_project | git | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for git clone operations using the --recursive flag against untrusted repositories, as this is required to trigger the vulnerability. ↗
- →Inspect .gitmodules files in cloned repositories for URLs beginning with 'ext::' which indicate use of the git-remote-ext helper and potential command injection. ↗
- →Detect absence or non-use of the GIT_ALLOW_PROTOCOL environment variable in git submodule operations; its presence whitelists safe protocols and mitigates exploitation. ↗
- →Flag use of git-fastclone or Mercurial's convert extension against repositories with untrusted names/URLs, as these tools reimplement submodule fetching and are not protected by the upstream git patch. ↗
- ·Vulnerability is only exploitable when recursive submodule cloning/updating is explicitly enabled; default non-recursive git clone is not affected. ↗
- ·Tools that reimplement git submodule fetching (e.g., git-fastclone, Mercurial convert extension) remain vulnerable even when the underlying git binary is patched to a fixed version. ↗
- ·Red Hat Enterprise Linux 6 package of git was assessed as not affected by this CVE. ↗
- ·CVE-2016-3105 in Mercurial is a further side-effect of this CVE; Mercurial prior to 3.8 is also vulnerable when converting Git repos with hostile names. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Git vulnerability
vendor_ubuntu·2015-12-15
CVE-2015-7545 Git vulnerability
Title: Git vulnerability
Summary: Git could be made to run programs as your login if it processed an
untrusted repository.
Blake Burkhart discovered that the Git git-remote-ext helper incorrectly
handled recursive clones of git repositories. A remote attacker could
possibly use this issue to execute arbitrary code by injecting commands
via crafted URLs.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: arbitrary code execution via crafted URLs
vendor_redhat·2015-10-05·CVSS 9.8
CVE-2015-7545 [CRITICAL] CWE-77 git: arbitrary code execution via crafted URLs
git: arbitrary code execution via crafted URLs
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
Mitigation: Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-r
Debian
CVE-2015-7545: git - The (1) git-remote-ext and (2) unspecified other remote helper programs in Git b...
vendor_debian·2015·CVSS 9.8
CVE-2015-7545 [CRITICAL] CVE-2015-7545: git - The (1) git-remote-ext and (2) unspecified other remote helper programs in Git b...
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Scope: local
bookworm: resolved (fixed in 1:2.6.1-1)
bullseye: resolved (fixed in 1:2.6.1-1)
forky: resolved (fixed in 1:2.6.1-1)
sid: resolved (fixed in 1:2.6.1-1)
trixie: resolved (fixed in 1:2.6.1-1)
GHSA
GHSA-3rvg-chjx-7h2j: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2
ghsa_unreviewed·2022-05-14
CVE-2015-7545 [CRITICAL] CWE-20 GHSA-3rvg-chjx-7h2j: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
OSV
CVE-2015-7545: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2
osv·2016-04-13·CVSS 9.8
CVE-2015-7545 [CRITICAL] CVE-2015-7545: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3105 mercurial: arbitrary code execution when converting git repos
bugzilla·2016-05-04·CVSS 9.8
CVE-2016-3105 [CRITICAL] CVE-2016-3105 mercurial: arbitrary code execution when converting git repos
CVE-2016-3105 mercurial: arbitrary code execution when converting git repos
A possible arbitrary code execution when converting Git repos was found in Mercirual. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545.
External Reference:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29
Upstream fix:
https://selenic.com/hg/rev/a56296f55a5e
Discussion:
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1332946]
Bugzilla
mercurial: arbitrary code execution with Git subrepos
bugzilla·2016-03-30·CVSS 9.8
CVE-2015-7545 [CRITICAL] mercurial: arbitrary code execution with Git subrepos
mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545.
External references:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
Upstream fix:
https://selenic.com/repo/hg-stable/rev/34d43cb85de8
Discussion:
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1322268]
---
*** This bug has been marked as a duplicate of bug 1319768 ***
---
mercurial-3.5.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
mercurial-3.5.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still
Bugzilla
CVE-2016-3068 mercurial: command injection via git subrepository urls
bugzilla·2016-03-21·CVSS 9.8
CVE-2016-3068 [CRITICAL] CVE-2016-3068 mercurial: command injection via git subrepository urls
CVE-2016-3068 mercurial: command injection via git subrepository urls
It was reported that in mercurial, there is similar vulnerability as CVE-2015-7545 in git. Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`.
Discussion:
Acknowledgments:
Name: Blake Burkhart
---
*** Bug 1322266 has been marked as a duplicate of this bug. ***
---
External references:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
Upstream fix:
https://selenic.com/repo/hg-stable/rev/34d43cb85de8
---
Created mercurial tracking bugs for th
HackerOne
git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
hackerone·2016-01-25·CVSS 9.8
CVE-2015-7545 [CRITICAL] git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
I recently discovered a security vulnerability in git that also affects other programs that manually reimplement submodule-like operations. The recent security update to git[0] concerning git-remote-ext URLs in submodules affects git-fastclone similarly. This bug was patched in Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10. The issue in git was just assigned CVE-2015-7545 [2]. Google's git-repo command was affected very similarly[3] to git-fastclone and it was recently patched too.
The git team's description of the bug was:
> Some protocols (like git-remote-ext) can execute arbitrary code
> found in the URL. The URLs that submodules use may come from
> arbitrary sources (e.g., .gitmodules files in a
Bugzilla
CVE-2015-7545 git: arbitrary code execution via crafted URLs [epel-5]
bugzilla·2015-10-08·CVSS 9.8
CVE-2015-7545 [CRITICAL] CVE-2015-7545 git: arbitrary code execution via crafted URLs [epel-5]
CVE-2015-7545 git: arbitrary code execution via crafted URLs [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-5 tracking bug for git: see blocks bug list for full d
Bugzilla
CVE-2015-7545 git: arbitrary code execution via crafted URLs
bugzilla·2015-10-08·CVSS 9.8
CVE-2015-7545 [CRITICAL] CVE-2015-7545 git: arbitrary code execution via crafted URLs
CVE-2015-7545 git: arbitrary code execution via crafted URLs
The following issue was fixed in Git version 2.6.1:
* Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.
Upstream patches:
https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c8
Bugzilla
CVE-2015-7545 git: arbitrary code execution via crafted URLs [fedora-all]
bugzilla·2015-10-08·CVSS 9.8
CVE-2015-7545 [CRITICAL] CVE-2015-7545 git: arbitrary code execution via crafted URLs [fedora-all]
CVE-2015-7545 git: arbitrary code execution via crafted URLs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-2515.htmlhttp://www.debian.org/security/2016/dsa-3435http://www.openwall.com/lists/oss-security/2015/12/08/5http://www.openwall.com/lists/oss-security/2015/12/09/8http://www.openwall.com/lists/oss-security/2015/12/11/7http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/78711http://www.securitytracker.com/id/1034501http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255http://www.ubuntu.com/usn/USN-2835-1https://bugzilla.redhat.com/show_bug.cgi?id=1269794https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txthttps://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021https://lkml.org/lkml/2015/10/5/683https://security.gentoo.org/glsa/201605-01http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-2515.htmlhttp://www.debian.org/security/2016/dsa-3435http://www.openwall.com/lists/oss-security/2015/12/08/5http://www.openwall.com/lists/oss-security/2015/12/09/8http://www.openwall.com/lists/oss-security/2015/12/11/7http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/78711http://www.securitytracker.com/id/1034501http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255http://www.ubuntu.com/usn/USN-2835-1https://bugzilla.redhat.com/show_bug.cgi?id=1269794https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txthttps://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txthttps://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021https://lkml.org/lkml/2015/10/5/683https://security.gentoo.org/glsa/201605-01
2016-04-13
Published