Home

CVE-2018-11235

Description

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs git clone --recurse-submodules because submodule names are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with ../ in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Risk Information

Base Score
7.8
MODERATE
Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
41.72

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2018-1000021,CVE-2018-11233,CVE-2018-11235 are affected in Git (X64) 2.15.1Windows
Vulnerabilities CVE-2018-1000021,CVE-2018-11233,CVE-2018-11235 are affected in Git 2.15.1Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git (X64) 2.13.6Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git (X64) 2.14.3Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git (X64) 2.16.3Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git (X64) 2.17.0Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git 2.13.6Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git 2.14.3Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git 2.16.3Windows
Vulnerabilities CVE-2018-11233,CVE-2018-11235 are affected in Git 2.17.0Windows
fast, scalable, distributed revision control system (USN-3671-1) git_1.9.1-1ubuntu0.8_i386.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_1.9.1-1ubuntu0.8_amd64.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.7.4-0ubuntu1.4_i386.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.7.4-0ubuntu1.4_amd64.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.14.1-1ubuntu4.1_i386.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.14.1-1ubuntu4.1_amd64.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.17.1-1ubuntu0.1_i386.debLinux
fast, scalable, distributed revision control system (USN-3671-1) git_2.17.1-1ubuntu0.1_amd64.debLinux
git security update(DSA-4212-1) git_2.11.0-3+deb9u3_i386.debLinux
git security update(DSA-4212-1) git_2.11.0-3+deb9u3_amd64.debLinux
Git security update (CESA-2018:1957) gitk-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-hg-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-p4-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) gitweb-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-all-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-bzr-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-cvs-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-gui-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) perl-Git-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) emacs-git-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) git-email-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) emacs-git-el-1.8.3.1-14.el7_5.noarch.rpmLinux
Git security update (CESA-2018:1957) perl-Git-SVN-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update emacs-git-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update emacs-git-el-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-1.8.3.1-14.el7_5.x86_64.rpmLinux
(RHSA-2018:1957) Important: git security update git-all-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-bzr-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-cvs-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-daemon-1.8.3.1-14.el7_5.x86_64.rpmLinux
(RHSA-2018:1957) Important: git security update git-email-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-gui-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-hg-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-p4-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update git-svn-1.8.3.1-14.el7_5.x86_64.rpmLinux
(RHSA-2018:1957) Important: git security update gitk-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update gitweb-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update perl-Git-1.8.3.1-14.el7_5.noarch.rpmLinux
(RHSA-2018:1957) Important: git security update perl-Git-SVN-1.8.3.1-14.el7_5.noarch.rpmLinux
SUSE-SU-2018:1566-1(SUSE Linux Enterprise Server 12-SP3 ) git-core-2.12.3-27.14.1.x86_64.rpmLinux
SUSE-SU-2018:1566-1(SUSE Linux Enterprise Server 12-SP3 ) git-core-debuginfo-2.12.3-27.14.1.x86_64.rpmLinux
SUSE-SU-2018:1566-1(SUSE Linux Enterprise Server 12-SP3 ) git-debugsource-2.12.3-27.14.1.x86_64.rpmLinux
Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability (CVE-2018-11235)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-352878Git (x64) (2.51.2)
PATCH-350752Git (2.50.1)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-352878Git (x64) (2.51.2)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)
PATCH-350752Git (2.50.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234