CVE-2015-7545
git: arbitrary code execution via crafted URLs
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
El (1) git-remote-ext y (2) otros programas de ayuda remotos no especificados en Git en versiones anteriores a 2.3.10, 2.4.x en versiones anteriores a 2.4.10, 2.5.x en versiones anteriores a 2.5.4 y 2.6.x en versiones anteriores a 2.6.1 no restringen correctamente los protocolos permitidos, lo que podría permitir a atacantes remotos ejecutar código arbitrario a través de una URL en un (a) archivo .gitmodules u (b) otras fuentes desconocidas en un submódulo.
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-09-29 CVE Reserved
- 2015-12-16 CVE Published
- 2024-05-13 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-284: Improper Access Control
CAPEC
References (22)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2015/12/08/5 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2015/12/09/8 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2015/12/11/7 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/78711 | Vdb Entry | |
| http://www.securitytracker.com/id/1034501 | Vdb Entry | |
| https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt | X_refsource_confirm | |
| https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021 | X_refsource_confirm | |
| https://lkml.org/lkml/2015/10/5/683 | Mailing List |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | <= 2.3.9 Search vendor "Git Project" for product "Git" and version " <= 2.3.9" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.0 Search vendor "Git Project" for product "Git" and version "2.4.0" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.1 Search vendor "Git Project" for product "Git" and version "2.4.1" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.2 Search vendor "Git Project" for product "Git" and version "2.4.2" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.3 Search vendor "Git Project" for product "Git" and version "2.4.3" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.4 Search vendor "Git Project" for product "Git" and version "2.4.4" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.5 Search vendor "Git Project" for product "Git" and version "2.4.5" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.6 Search vendor "Git Project" for product "Git" and version "2.4.6" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.7 Search vendor "Git Project" for product "Git" and version "2.4.7" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.8 Search vendor "Git Project" for product "Git" and version "2.4.8" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.4.9 Search vendor "Git Project" for product "Git" and version "2.4.9" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.0 Search vendor "Git Project" for product "Git" and version "2.5.0" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.1 Search vendor "Git Project" for product "Git" and version "2.5.1" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.2 Search vendor "Git Project" for product "Git" and version "2.5.2" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.5.3 Search vendor "Git Project" for product "Git" and version "2.5.3" | - |
Affected
| ||||||
| Git Project Search vendor "Git Project" | Git Search vendor "Git Project" for product "Git" | 2.6.0 Search vendor "Git Project" for product "Git" and version "2.6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.1 Search vendor "Opensuse" for product "Opensuse" and version "13.1" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2" | - |
Affected
| ||||||