CVE-2015-8968

Exploit

EPSS 2.84%
Published 03.11.2016 10:59:00
Last modified 12.04.2025 10:46:40
Source support@hackerone.com
Teams watchlist Login
Open Login

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Squareup ≫ Git-fastclone Version < 1.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.84%	0.857

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://www.securityfocus.com/bid/81433

Third Party Advisory

VDB Entry

https://github.com/square/git-fastclone/pull/2

Patch

Vendor Advisory

https://hackerone.com/reports/104465

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2015-8968

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-8968

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-8968

EUVD