CVE-2015-7545
git: arbitrary code execution via crafted URLs
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
El (1) git-remote-ext y (2) otros programas de ayuda remotos no especificados en Git en versiones anteriores a 2.3.10, 2.4.x en versiones anteriores a 2.4.10, 2.5.x en versiones anteriores a 2.5.4 y 2.6.x en versiones anteriores a 2.6.1 no restringen correctamente los protocolos permitidos, lo que podría permitir a atacantes remotos ejecutar código arbitrario a través de una URL en un (a) archivo .gitmodules u (b) otras fuentes desconocidas en un submódulo.
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-09-29 CVE Reserved
- 2015-12-16 CVE Published
- 2024-05-13 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-284: Improper Access Control
CAPEC
References (22)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2015/12/08/5 | Mailing List | |
http://www.openwall.com/lists/oss-security/2015/12/09/8 | Mailing List | |
http://www.openwall.com/lists/oss-security/2015/12/11/7 | Mailing List | |
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | X_refsource_confirm | |
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | X_refsource_confirm | |
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm | |
http://www.securityfocus.com/bid/78711 | Vdb Entry | |
http://www.securitytracker.com/id/1034501 | Vdb Entry | |
https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt | X_refsource_confirm | |
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021 | X_refsource_confirm | |
https://lkml.org/lkml/2015/10/5/683 | Mailing List |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | <= 2.3.9 Search vendor "Git Project" for product "Git" and version " <= 2.3.9" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.0 Search vendor "Git Project" for product "Git" and version "2.4.0" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.1 Search vendor "Git Project" for product "Git" and version "2.4.1" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.2 Search vendor "Git Project" for product "Git" and version "2.4.2" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.3 Search vendor "Git Project" for product "Git" and version "2.4.3" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.4 Search vendor "Git Project" for product "Git" and version "2.4.4" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.5 Search vendor "Git Project" for product "Git" and version "2.4.5" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.6 Search vendor "Git Project" for product "Git" and version "2.4.6" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.7 Search vendor "Git Project" for product "Git" and version "2.4.7" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.8 Search vendor "Git Project" for product "Git" and version "2.4.8" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.9 Search vendor "Git Project" for product "Git" and version "2.4.9" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.0 Search vendor "Git Project" for product "Git" and version "2.5.0" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.1 Search vendor "Git Project" for product "Git" and version "2.5.1" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.2 Search vendor "Git Project" for product "Git" and version "2.5.2" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.3 Search vendor "Git Project" for product "Git" and version "2.5.3" | - |
Affected
| ||||||
Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.6.0 Search vendor "Git Project" for product "Git" and version "2.6.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04" | - |
Affected
| ||||||
Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.1 Search vendor "Opensuse" for product "Opensuse" and version "13.1" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2" | - |
Affected
|