Vulnetix
Try Vulnetix Request Demo
ALPINE-CVE-2018-11235 PUBLISHED CVSS 7.800000190734863 HIGH

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Risk Scores

CVSS v3.0
7.800000190734863
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.23git2.9.3-r0, 2.9.2-r0, 2.9.1-r0
Alpine:v3.11git1.8.3.1-r0, 0, 1.6.0.4-r1
Alpine:v3.10git1.7.12.2-r0, 1.7.12.1-r0, 1.7.12-r0
Alpine:v3.5git2.8.1-r0, 2.9.3-r0, 2.9.2-r0
Alpine:v3.16git2.12.2-r0, 2.11.1-r0, 2.11.0-r0
Alpine:v3.20git2.4.0-r0, 2.3.7-r0, 2.3.6-r1
Alpine:v3.6git1.7.7.1-r0, 1.7.6.1-r0, 1.7.6-r0
Alpine:v3.7git1.7.9.4-r0, 1.7.9.5-r0, 1.7.9.6-r0
Alpine:v3.15git1.7.7.3-r0, 0, 1.6.0.4-r1
Alpine:v3.8git2.9.3-r0, 1.7.3.1-r0, 0
Alpine:v3.21git2.0.1-r0, 0, 1.6.0.4-r1
Alpine:v3.12git2.9.3-r0, 2.9.2-r0, 2.9.1-r0
Alpine:v3.17git2.9.3-r0, 2.9.3-r0, 2.9.2-r0
Alpine:v3.13git2.0.3-r0, 2.0.4-r0, 2.1.0-r0
Alpine:v3.19git0, 2.9.3-r0, 2.9.2-r0
Alpine:v3.14git2.9.3-r0, 2.9.2-r0, 2.9.1-r0
Alpine:v3.22git1.7.12.3-r0, 1.7.12.4-r0, 1.7.2-r0
Alpine:v3.18git1.8.3-r0, 0, 1.6.0.4-r1
Alpine:v3.9git1.6.0.4-r1, 2.9.3-r0, 2.9.2-r0

Timeline

References

Open in Interactive Console →