CVE-2018-17456
- Source
- https://cve.org/CVERecord?id=CVE-2018-17456
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17456.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-17456
- Downstream
- Related
- Published
- 2018-10-06T14:29:00.300Z
- Modified
- 2026-05-30T10:55:17.861718Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
- Database specific
{ "unresolved_ranges": [ { "extracted_events": [ { "last_affected": "14.04" }, { "last_affected": "16.04" }, { "last_affected": "18.04" } ], "cpes": [ "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" ], "source": "CPE_STRING", "vendor_product": "canonical:ubuntu_linux" }, { "extracted_events": [ { "last_affected": "9.0" } ], "cpes": [ "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "debian:debian_linux" }, { "extracted_events": [ { "last_affected": "3.3" } ], "cpes": [ "cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:ansible_tower" }, { "extracted_events": [ { "last_affected": "6.0" }, { "last_affected": "6.7" }, { "last_affected": "7.0" }, { "last_affected": "7.3" }, { "last_affected": "7.4" }, { "last_affected": "7.5" }, { "last_affected": "7.6" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux" }, { "extracted_events": [ { "last_affected": "7.0" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_desktop" }, { "extracted_events": [ { "last_affected": "7.0" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_server" }, { "extracted_events": [ { "last_affected": "7.6" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_server_aus" }, { "extracted_events": [ { "last_affected": "7.6" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_server_eus" }, { "extracted_events": [ { "last_affected": "7.6" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_server_tus" }, { "extracted_events": [ { "last_affected": "7.0" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING", "vendor_product": "redhat:enterprise_linux_workstation" } ] }- References
-
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://www.securityfocus.com/bid/105523
- http://www.securityfocus.com/bid/107511
- http://www.securitytracker.com/id/1041811
- https://access.redhat.com/errata/RHSA-2018:3408
- https://access.redhat.com/errata/RHSA-2018:3505
- https://access.redhat.com/errata/RHSA-2018:3541
- https://access.redhat.com/errata/RHSA-2020:0316
- https://marc.info/?l=git&m=153875888916397&w=2
- https://seclists.org/bugtraq/2019/Mar/30
- https://usn.ubuntu.com/3791-1/
- https://www.debian.org/security/2018/dsa-4311
- https://www.openwall.com/lists/oss-security/2018/10/06/3
- https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404
- https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46
- https://www.exploit-db.com/exploits/45548/
- https://www.exploit-db.com/exploits/45631/
Affected packages
Git / github.com/git-for-windows/git
Git / github.com/git/git
Affected ranges
- Type
- GIT
- Repo
- https://github.com/git/git
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixedFixed
- Database specific
{ "cpe": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "2.14.0" }, { "fixed": "2.14.5" }, { "introduced": "2.15.0" }, { "fixed": "2.15.3" }, { "introduced": "2.16.0" }, { "fixed": "2.16.5" }, { "introduced": "2.17.0" }, { "fixed": "2.17.2" }, { "introduced": "2.18.0" }, { "fixed": "2.18.1" }, { "introduced": "2.19.0" }, { "fixed": "2.19.1" } ], "source": [ "CPE_RANGE", "REFERENCES" ] }
Affected versions
v2.*
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.16.4
v2.17.0
v2.17.1
v2.18.0
v2.19.0
Database specific
vanir_signatures_modified
"2026-05-30T10:55:17Z"
vanir_signatures
[
{
"target": {
"file": "fsck.c",
"function": "fsck_gitmodules_fn"
},
"id": "CVE-2018-17456-6395f845",
"signature_type": "Function",
"digest": {
"function_hash": "74687755865234334360883501852567920378",
"length": 464.0
},
"signature_version": "v1",
"source": "https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46",
"deprecated": false
},
{
"target": {
"file": "fsck.c"
},
"id": "CVE-2018-17456-ff58f248",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"217918380924176957102810654075341599196",
"117753730928290908950277960920988579234",
"238564133705298630809711888480831625193",
"40793998524149642212331206026820467726",
"131744534305363149181561143635993325041",
"118269845443441089115293841204093565177",
"154178865154027729581994095520201329671",
"45981377794252269677761437338334550314"
]
},
"signature_version": "v1",
"source": "https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46",
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17456.json"