In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| debian | debian_linux | - | - |
| debian | debian_linux | - | - |
| canonical | ubuntu_linux | - |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
17
Affected Products
22
References
debian / debian_linux
| - |
| canonical | ubuntu_linux | - | - |
| canonical | ubuntu_linux | - | - |
| canonical | ubuntu_linux | - | - |
| redhat | enterprise_linux | - | - |
| redhat | enterprise_linux_desktop | - | - |
| redhat | enterprise_linux_server | - | - |
| redhat | enterprise_linux_server_eus | - | - |
| redhat | enterprise_linux_workstation | - | - |
| git-scm | git | 2.13.6 | - |
| git-scm | git | 2.14.0 - 2.14.3 | - |
| git-scm | git | 2.15.0 - 2.15.1 | - |
| git-scm | git | 2.16.0 - 2.16.3 | - |
| git-scm | git | - | - |
| gitforwindows | git | 2.17.1 | - |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability
Impact