GHSA-8gg6-3r63-25m8

Suggest an improvement
Source
https://github.com/advisories/GHSA-8gg6-3r63-25m8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-8gg6-3r63-25m8/GHSA-8gg6-3r63-25m8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8gg6-3r63-25m8
Aliases
  • CVE-2015-8968
Published
2018-08-15T20:03:37Z
Modified
2023-11-01T04:46:23.948878Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
git-fastclone permits arbitrary shell command execution from .gitmodules
Details

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:25:37Z"
}
References

Affected packages

RubyGems / git-fastclone

Package

Name
git-fastclone
Purl
pkg:gem/git-fastclone

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1

Affected versions

0.*

0.0.0
0.0.1
0.0.3

1.*

1.0.0