// For flags

CVE-2015-7545

git: arbitrary code execution via crafted URLs

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.

El (1) git-remote-ext y (2) otros programas de ayuda remotos no especificados en Git en versiones anteriores a 2.3.10, 2.4.x en versiones anteriores a 2.4.10, 2.5.x en versiones anteriores a 2.5.4 y 2.6.x en versiones anteriores a 2.6.1 no restringen correctamente los protocolos permitidos, lo que podría permitir a atacantes remotos ejecutar código arbitrario a través de una URL en un (a) archivo .gitmodules u (b) otras fuentes desconocidas en un submódulo.

A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-09-29 CVE Reserved
  • 2015-12-16 CVE Published
  • 2024-05-13 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-284: Improper Access Control
CAPEC
References (22)
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
<= 2.3.9
Search vendor "Git Project" for product "Git" and version " <= 2.3.9"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.0
Search vendor "Git Project" for product "Git" and version "2.4.0"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.1
Search vendor "Git Project" for product "Git" and version "2.4.1"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.2
Search vendor "Git Project" for product "Git" and version "2.4.2"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.3
Search vendor "Git Project" for product "Git" and version "2.4.3"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.4
Search vendor "Git Project" for product "Git" and version "2.4.4"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.5
Search vendor "Git Project" for product "Git" and version "2.4.5"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.6
Search vendor "Git Project" for product "Git" and version "2.4.6"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.7
Search vendor "Git Project" for product "Git" and version "2.4.7"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.8
Search vendor "Git Project" for product "Git" and version "2.4.8"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.4.9
Search vendor "Git Project" for product "Git" and version "2.4.9"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.5.0
Search vendor "Git Project" for product "Git" and version "2.5.0"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.5.1
Search vendor "Git Project" for product "Git" and version "2.5.1"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.5.2
Search vendor "Git Project" for product "Git" and version "2.5.2"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.5.3
Search vendor "Git Project" for product "Git" and version "2.5.3"
-
Affected
Git Project
Search vendor "Git Project"
Git
Search vendor "Git Project" for product "Git"
2.6.0
Search vendor "Git Project" for product "Git" and version "2.6.0"
-
Affected
Redhat
Search vendor "Redhat"
Software Collections
Search vendor "Redhat" for product "Software Collections"
1.0
Search vendor "Redhat" for product "Software Collections" and version "1.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
15.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
15.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"
-
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
13.1
Search vendor "Opensuse" for product "Opensuse" and version "13.1"
-
Affected
Opensuse
Search vendor "Opensuse"
Opensuse
Search vendor "Opensuse" for product "Opensuse"
13.2
Search vendor "Opensuse" for product "Opensuse" and version "13.2"
-
Affected