CVE-2018-11235

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-11235
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11235.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-11235
Downstream
Related
Published
2018-05-30T04:29:00.287Z
Modified
2026-05-28T04:04:20.834490147Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "14.04"
                },
                {
                    "last_affected": "16.04"
                },
                {
                    "last_affected": "17.10"
                },
                {
                    "last_affected": "18.04"
                }
            ],
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"
            ],
            "source": "CPE_STRING",
            "vendor_product": "canonical:ubuntu_linux"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "8.0"
                },
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "debian:debian_linux",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:enterprise_linux"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:enterprise_linux_desktop",
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:enterprise_linux_server",
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.5"
                }
            ],
            "vendor_product": "redhat:enterprise_linux_server_eus",
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:enterprise_linux_workstation",
            "cpes": [
                "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"
            ]
        }
    ]
}
References

Affected packages

Git / github.com/git-for-windows/git

Affected ranges

Type
GIT
Repo
https://github.com/git-for-windows/git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
42e6fde5c28150206956ea4be490d886c4ecbd68
Last affected
468165c1d8a442994a825f3684528361727cd8c0
Last affected
fc54c1af3ec09bab8b8ea09768c2da4069b7f53e
Introduced
4384e3cde2ce8ecd194202e171ae16333d241326
Last affected
fc849d8d6b90e5c1e0c37bc0d60dd92b2fe7347f
Introduced
cb5918aa0d50f50e83787f65c2ddc3dcb10159fe
Last affected
9b185bef0c15cec1ea8753ce091e42ea041f2c31
Introduced
2512f15446149235156528dafbe75930c712b29e
Last affected
d32eb83c1db7d0a8bb54fe743c6d1dd674d372c5
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.13.6"
        },
        {
            "last_affected": "2.17.0"
        },
        {
            "last_affected": "2.17.1"
        },
        {
            "introduced": "2.14.0"
        },
        {
            "last_affected": "2.14.3"
        },
        {
            "introduced": "2.15.0"
        },
        {
            "last_affected": "2.15.1"
        },
        {
            "introduced": "2.16.0"
        },
        {
            "last_affected": "2.16.3"
        }
    ],
    "cpe": [
        "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:git-scm:git:2.17.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:gitforwindows:git:*:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

v0.*
v0.99
v0.99.1
v0.99.2
v0.99.3
v0.99.4
v0.99.5
v0.99.6
v0.99.7
v0.99.8
v0.99.8a
v0.99.8b
v0.99.8c
v0.99.8d
v0.99.8e
v0.99.8f
v0.99.8g
v0.99.9a
v0.99.9b
v0.99.9c
v0.99.9d
v0.99.9e
v0.99.9f
v0.99.9g
v0.99.9h
v0.99.9i
v0.99.9j
v0.99.9k
v0.99.9l
v0.99.9m
v0.99.9n
v1.*
v1.0.0
v1.0rc1
v1.0rc2
v1.0rc3
v1.0rc4
v1.0rc5
v1.0rc6
v1.1.0
v1.2.0
v1.3.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.4
v1.4.4-rc1
v1.4.4-rc2
v1.4.4.1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.5.1
v1.5.1-rc1
v1.5.1-rc2
v1.5.1-rc3
v1.5.2
v1.5.2-rc0
v1.5.2-rc1
v1.5.2-rc2
v1.5.2-rc3
v1.5.3
v1.5.3-rc0
v1.5.3-rc1
v1.5.3-rc2
v1.5.3-rc3
v1.5.3-rc4
v1.5.3-rc5
v1.5.3-rc6
v1.5.3-rc7
v1.5.3.1
v1.5.4
v1.5.4-rc0
v1.5.4-rc1
v1.5.4-rc2
v1.5.4-rc3
v1.5.4-rc4
v1.5.4-rc5
v1.5.5
v1.5.5-rc0
v1.5.5-rc1
v1.5.5-rc2
v1.5.5-rc3
v1.5.6
v1.5.6-rc0
v1.5.6-rc1
v1.5.6-rc2
v1.5.6-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.6.1
v1.6.1-rc1
v1.6.1-rc2
v1.6.1-rc3
v1.6.1-rc4
v1.6.2
v1.6.2-rc0
v1.6.2-rc1
v1.6.2-rc2
v1.6.3
v1.6.3-rc0
v1.6.3-rc1
v1.6.3-rc2
v1.6.3-rc3
v1.6.3-rc4
v1.6.4
v1.6.4-rc0
v1.6.4-rc1
v1.6.4-rc2
v1.6.4-rc3
v1.6.5
v1.6.5-rc0
v1.6.5-rc1
v1.6.5-rc2
v1.6.5-rc3
v1.6.6
v1.6.6-rc0
v1.6.6-rc1
v1.6.6-rc2
v1.6.6-rc3
v1.6.6-rc4
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.1
v1.7.1-rc0
v1.7.1-rc1
v1.7.1-rc2
v1.7.10
v1.7.10-rc0
v1.7.10-rc1
v1.7.10-rc2
v1.7.10-rc3
v1.7.10-rc4
v1.7.11
v1.7.11-rc0
v1.7.11-rc1
v1.7.11-rc2
v1.7.11-rc3
v1.7.12
v1.7.12-rc0
v1.7.12-rc1
v1.7.12-rc2
v1.7.12-rc3
v1.7.2
v1.7.2-rc0
v1.7.2-rc1
v1.7.2-rc2
v1.7.2-rc3
v1.7.3
v1.7.3-rc0
v1.7.3-rc1
v1.7.3-rc2
v1.7.3.1
v1.7.4
v1.7.4-rc0
v1.7.4-rc1
v1.7.4-rc2
v1.7.4-rc3
v1.7.5
v1.7.5-rc0
v1.7.5-rc1
v1.7.5-rc2
v1.7.5-rc3
v1.7.6
v1.7.6-rc0
v1.7.6-rc1
v1.7.6-rc2
v1.7.6-rc3
v1.7.7
v1.7.7-rc0
v1.7.7-rc1
v1.7.7-rc2
v1.7.7-rc3
v1.7.8
v1.7.8-rc0
v1.7.8-rc1
v1.7.8-rc2
v1.7.8-rc3
v1.7.8-rc4
v1.7.9
v1.7.9-rc0
v1.7.9-rc1
v1.7.9-rc2
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.8.0-rc2
v1.8.0-rc3
v1.8.1
v1.8.1-rc0
v1.8.1-rc1
v1.8.1-rc2
v1.8.1-rc3
v1.8.2
v1.8.2-rc0
v1.8.2-rc1
v1.8.2-rc2
v1.8.2-rc3
v1.8.3
v1.8.3-rc0
v1.8.3-rc1
v1.8.3-rc2
v1.8.3-rc3
v1.8.4
v1.8.4-rc0
v1.8.4-rc1
v1.8.4-rc2
v1.8.4-rc3
v1.8.4-rc4
v1.8.5
v1.8.5-rc0
v1.8.5-rc1
v1.8.5-rc2
v1.8.5-rc3
v1.9-rc0
v1.9-rc1
v1.9-rc2
v1.9.0
v1.9.0-rc3
v2.*
v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.13.0
v2.13.0-rc0
v2.13.0-rc1
v2.13.0-rc2
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.17.0
v2.17.0-rc0
v2.17.0-rc1
v2.17.0-rc2
v2.17.1
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11235.json"

Git / github.com/git/git

Affected ranges

Type
GIT
Repo
https://github.com/git/git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
42e6fde5c28150206956ea4be490d886c4ecbd68
Last affected
468165c1d8a442994a825f3684528361727cd8c0
Introduced
4384e3cde2ce8ecd194202e171ae16333d241326
Last affected
fc849d8d6b90e5c1e0c37bc0d60dd92b2fe7347f
Introduced
cb5918aa0d50f50e83787f65c2ddc3dcb10159fe
Last affected
9b185bef0c15cec1ea8753ce091e42ea041f2c31
Introduced
2512f15446149235156528dafbe75930c712b29e
Last affected
d32eb83c1db7d0a8bb54fe743c6d1dd674d372c5
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.13.6"
        },
        {
            "last_affected": "2.17.0"
        },
        {
            "introduced": "2.14.0"
        },
        {
            "last_affected": "2.14.3"
        },
        {
            "introduced": "2.15.0"
        },
        {
            "last_affected": "2.15.1"
        },
        {
            "introduced": "2.16.0"
        },
        {
            "last_affected": "2.16.3"
        }
    ],
    "cpe": [
        "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:git-scm:git:2.17.0:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

v0.*
v0.99
v0.99.1
v0.99.2
v0.99.3
v0.99.4
v0.99.5
v0.99.6
v0.99.7
v0.99.8
v0.99.8a
v0.99.8b
v0.99.8c
v0.99.8d
v0.99.8e
v0.99.8f
v0.99.8g
v0.99.9a
v0.99.9b
v0.99.9c
v0.99.9d
v0.99.9e
v0.99.9f
v0.99.9g
v0.99.9h
v0.99.9i
v0.99.9j
v0.99.9k
v0.99.9l
v0.99.9m
v0.99.9n
v1.*
v1.0.0
v1.0rc1
v1.0rc2
v1.0rc3
v1.0rc4
v1.0rc5
v1.0rc6
v1.1.0
v1.2.0
v1.3.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.4
v1.4.4-rc1
v1.4.4-rc2
v1.4.4.1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.5.1
v1.5.1-rc1
v1.5.1-rc2
v1.5.1-rc3
v1.5.2
v1.5.2-rc0
v1.5.2-rc1
v1.5.2-rc2
v1.5.2-rc3
v1.5.3
v1.5.3-rc0
v1.5.3-rc1
v1.5.3-rc2
v1.5.3-rc3
v1.5.3-rc4
v1.5.3-rc5
v1.5.3-rc6
v1.5.3-rc7
v1.5.3.1
v1.5.4
v1.5.4-rc0
v1.5.4-rc1
v1.5.4-rc2
v1.5.4-rc3
v1.5.4-rc4
v1.5.4-rc5
v1.5.5
v1.5.5-rc0
v1.5.5-rc1
v1.5.5-rc2
v1.5.5-rc3
v1.5.6
v1.5.6-rc0
v1.5.6-rc1
v1.5.6-rc2
v1.5.6-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.6.1
v1.6.1-rc1
v1.6.1-rc2
v1.6.1-rc3
v1.6.1-rc4
v1.6.2
v1.6.2-rc0
v1.6.2-rc1
v1.6.2-rc2
v1.6.3
v1.6.3-rc0
v1.6.3-rc1
v1.6.3-rc2
v1.6.3-rc3
v1.6.3-rc4
v1.6.4
v1.6.4-rc0
v1.6.4-rc1
v1.6.4-rc2
v1.6.4-rc3
v1.6.5
v1.6.5-rc0
v1.6.5-rc1
v1.6.5-rc2
v1.6.5-rc3
v1.6.6
v1.6.6-rc0
v1.6.6-rc1
v1.6.6-rc2
v1.6.6-rc3
v1.6.6-rc4
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.1
v1.7.1-rc0
v1.7.1-rc1
v1.7.1-rc2
v1.7.10
v1.7.10-rc0
v1.7.10-rc1
v1.7.10-rc2
v1.7.10-rc3
v1.7.10-rc4
v1.7.11
v1.7.11-rc0
v1.7.11-rc1
v1.7.11-rc2
v1.7.11-rc3
v1.7.12
v1.7.12-rc0
v1.7.12-rc1
v1.7.12-rc2
v1.7.12-rc3
v1.7.2
v1.7.2-rc0
v1.7.2-rc1
v1.7.2-rc2
v1.7.2-rc3
v1.7.3
v1.7.3-rc0
v1.7.3-rc1
v1.7.3-rc2
v1.7.3.1
v1.7.4
v1.7.4-rc0
v1.7.4-rc1
v1.7.4-rc2
v1.7.4-rc3
v1.7.5
v1.7.5-rc0
v1.7.5-rc1
v1.7.5-rc2
v1.7.5-rc3
v1.7.6
v1.7.6-rc0
v1.7.6-rc1
v1.7.6-rc2
v1.7.6-rc3
v1.7.7
v1.7.7-rc0
v1.7.7-rc1
v1.7.7-rc2
v1.7.7-rc3
v1.7.8
v1.7.8-rc0
v1.7.8-rc1
v1.7.8-rc2
v1.7.8-rc3
v1.7.8-rc4
v1.7.9
v1.7.9-rc0
v1.7.9-rc1
v1.7.9-rc2
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.8.0-rc2
v1.8.0-rc3
v1.8.1
v1.8.1-rc0
v1.8.1-rc1
v1.8.1-rc2
v1.8.1-rc3
v1.8.2
v1.8.2-rc0
v1.8.2-rc1
v1.8.2-rc2
v1.8.2-rc3
v1.8.3
v1.8.3-rc0
v1.8.3-rc1
v1.8.3-rc2
v1.8.3-rc3
v1.8.4
v1.8.4-rc0
v1.8.4-rc1
v1.8.4-rc2
v1.8.4-rc3
v1.8.4-rc4
v1.8.5
v1.8.5-rc0
v1.8.5-rc1
v1.8.5-rc2
v1.8.5-rc3
v1.9-rc0
v1.9-rc1
v1.9-rc2
v1.9.0
v1.9.0-rc3
v2.*
v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.13.0
v2.13.0-rc0
v2.13.0-rc1
v2.13.0-rc2
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.17.0
v2.17.0-rc0
v2.17.0-rc1
v2.17.0-rc2
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-11235.json"