Arbitrary Argument Injection Affecting git package, versions <1:2.11.0-3+deb9u4


0.0
critical

Snyk CVSS

    Exploit Maturity Mature
    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High
Expand this section
RHEL
8.8 high
Expand this section
NVD
9.8 critical
Expand this section
SUSE
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN9-GIT-340821
  • published 6 Oct 2018
  • disclosed 6 Oct 2018

How to fix?

Upgrade Debian:9 git to version 1:2.11.0-3+deb9u4 or higher.

NVD Description

Note: Versions mentioned in the description apply to the upstream git package. See How to fix? for Debian:9 relevant versions.

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.