{"id":"CVE-2018-17456","details":"Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.","modified":"2026-05-30T10:55:17.861718Z","published":"2018-10-06T14:29:00.300Z","related":["SUSE-SU-2018:3150-1","SUSE-SU-2018:4009-1","SUSE-SU-2018:4088-1","SUSE-SU-2018:4088-2","SUSE-SU-2018:4088-3","SUSE-SU-2020:1121-1","openSUSE-SU-2020:0598-1","openSUSE-SU-2024:10786-1","openSUSE-SU-2024:10943-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"],"source":"CPE_STRING","vendor_product":"canonical:ubuntu_linux","extracted_events":[{"last_affected":"14.04"},{"last_affected":"16.04"},{"last_affected":"18.04"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"}]},{"cpes":["cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:ansible_tower","extracted_events":[{"last_affected":"3.3"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux","extracted_events":[{"last_affected":"6.0"},{"last_affected":"6.7"},{"last_affected":"7.0"},{"last_affected":"7.3"},{"last_affected":"7.4"},{"last_affected":"7.5"},{"last_affected":"7.6"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_desktop","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_server","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_server_aus","extracted_events":[{"last_affected":"7.6"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_server_eus","extracted_events":[{"last_affected":"7.6"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_server_tus","extracted_events":[{"last_affected":"7.6"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_workstation","extracted_events":[{"last_affected":"7.0"}]}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105523"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107511"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041811"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3408"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3541"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0316"},{"type":"ADVISORY","url":"https://marc.info/?l=git&m=153875888916397&w=2"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Mar/30"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3791-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4311"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2018/10/06/3"},{"type":"FIX","url":"https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404"},{"type":"FIX","url":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45548/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45631/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/git-for-windows/git","events":[{"introduced":"1d4361b0f344188ab5eec6dcea01f61a3a3a1670"},{"fixed":"cae598d9980661a978e2df4fb338518f7bf09572"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"2.19.0"},{"fixed":"2.19.1"}],"cpe":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*"}}],"versions":["v2.19.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17456.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/git/git","events":[{"introduced":"4384e3cde2ce8ecd194202e171ae16333d241326"},{"fixed":"d0832b2847aa9669c09397c5639d7fe56abaf9fc"},{"introduced":"cb5918aa0d50f50e83787f65c2ddc3dcb10159fe"},{"fixed":"924c623e1c71b98da608f980a97f9730c021ba44"},{"introduced":"2512f15446149235156528dafbe75930c712b29e"},{"fixed":"27d05d1a1a62273aa3749f4d0ab8a126ef11ff66"},{"introduced":"468165c1d8a442994a825f3684528361727cd8c0"},{"fixed":"6e9e91e9cae74cd7feb9300563d40361b2b17dd2"},{"introduced":"53f9a3e157dbbc901a02ac2c73346d375e24978c"},{"fixed":"268fbcd172cdb306e8a3e7143cc16677c963d6cd"},{"introduced":"1d4361b0f344188ab5eec6dcea01f61a3a3a1670"},{"fixed":"cae598d9980661a978e2df4fb338518f7bf09572"},{"fixed":"1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404"},{"fixed":"a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"2.14.0"},{"fixed":"2.14.5"},{"introduced":"2.15.0"},{"fixed":"2.15.3"},{"introduced":"2.16.0"},{"fixed":"2.16.5"},{"introduced":"2.17.0"},{"fixed":"2.17.2"},{"introduced":"2.18.0"},{"fixed":"2.18.1"},{"introduced":"2.19.0"},{"fixed":"2.19.1"}],"cpe":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*"}}],"versions":["v2.15.0","v2.17.0","v2.18.0","v2.19.0","v2.17.1","v2.16.4","v2.15.2","v2.14.4","v2.16.3","v2.14.3","v2.16.2","v2.16.1","v2.16.0","v2.15.1","v2.14.2","v2.14.0","v2.14.1"],"database_specific":{"vanir_signatures":[{"digest":{"length":464,"function_hash":"74687755865234334360883501852567920378"},"target":{"file":"fsck.c","function":"fsck_gitmodules_fn"},"id":"CVE-2018-17456-6395f845","signature_type":"Function","source":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["217918380924176957102810654075341599196","117753730928290908950277960920988579234","238564133705298630809711888480831625193","40793998524149642212331206026820467726","131744534305363149181561143635993325041","118269845443441089115293841204093565177","154178865154027729581994095520201329671","45981377794252269677761437338334550314"],"threshold":0.9},"target":{"file":"fsck.c"},"id":"CVE-2018-17456-ff58f248","signature_type":"Line","source":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17456.json","vanir_signatures_modified":"2026-05-30T10:55:17Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}