CVE-2015-8968
Last modified
CVE-2015-8968 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. EPSS estimates a 5.20% chance of exploitation in the next 30 days.
Description
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Squareup | Git-Fastclone | < 1.0.1 |
References
- http://www.securityfocus.com/bid/81433Third Party Advisory, VDB Entry
- https://github.com/square/git-fastclone/pull/2Patch, Vendor Advisory
- https://hackerone.com/reports/104465Exploit, Third Party Advisory
- http://www.securityfocus.com/bid/81433Third Party Advisory, VDB Entry
- https://github.com/square/git-fastclone/pull/2Patch, Vendor Advisory
- https://hackerone.com/reports/104465Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2015-8968?
How severe is CVE-2015-8968?
How do I fix CVE-2015-8968?
Are you affected by CVE-2015-8968?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST