CVE-2015-8968 – git-fastclone

Package

Manager: gem
Name: git-fastclone
Vulnerable Version: >=0 <1.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02844 pctl0.857

Details

git-fastclone permits arbitrary shell command execution from .gitmodules git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

Metadata

Created: 2018-08-15T20:03:37Z
Modified: 2023-08-29T12:09:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-8gg6-3r63-25m8/GHSA-8gg6-3r63-25m8.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-8gg6-3r63-25m8
Finding: F422
Auto approve: 1