CVE-2017-15298 — Uncontrolled Resource Consumption in GIT

CWE-400 — Uncontrolled Resource Consumption10 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.4%

top 36.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GIT Git-scm GIT Canonical Ubuntu Linux

Timeline

PublishedOct 14

Latest updateMay 13

Description

Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶Debiangit/git< 1:2.16.1-1+3

▶Ubuntugit/git< 1:1.9.1-1ubuntu0.10+2

▶NVDgit-scm/git2.14.2

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

GHSA

GHSA-h4pp-whcf-mhp8: Git through 2↗2022-05-13

▶

OSV

git vulnerabilities↗2018-11-27

▶

OSV

CVE-2017-15298: Git through 2↗2017-10-14

▶

CVEList

CVE-2017-15298: Git through 2↗2017-10-14

▶

📋Vendor Advisories

Ubuntu

Git vulnerabilities↗2018-11-27

▶

Red Hat

git: Mishandling layers of tree objects↗2017-10-12

▶

Debian

CVE-2017-15298: git - Git through 2.14.2 mishandles layers of tree objects, which allows remote attack...↗2017

▶

💬Community

Bugzilla

CVE-2017-15298 git: Mishandling layers of tree objects [fedora-all]↗2017-11-07

▶

Bugzilla

CVE-2017-15298 git: Mishandling layers of tree objects↗2017-11-07

▶