CVE-2018-11235 — Path Traversal in Redhat Enterprise Linux Server
Severity
7.8HIGHNVD
OSV7.5
EPSS
41.7%
top 2.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 30
Latest updateMay 13
Description
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypas…
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages7 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04, Enterprise Linux 7.0, 7.5
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4💬Community
5Bugzilla▶
libgit2: arbitrary code execution when recursively cloning a malicious repository (git CVE-2018-11235 variant) [fedora-all]↗2018-06-29
Bugzilla▶
libgit2: arbitrary file write when recursively cloning a malicious repository (git CVE-2018-11235 variant)↗2018-06-29
Bugzilla▶
CVE-2018-11235 libgit2: git: arbitrary code execution when recursively cloning a malicious repository [fedora-all]↗2018-06-27
Bugzilla▶
CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository [fedora-all]↗2018-05-30
Bugzilla▶
CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository↗2018-05-29