{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-05T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:2515", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"}, {"name": "openSUSE-SU-2015:1968", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"}, {"name": "GLSA-201605-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201605-01"}, {"name": "[oss-security] 20151208 CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"}, {"name": "[linux-kernel] 20151005 [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lkml.org/lkml/2015/10/5/683"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "1034501", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034501"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"}, {"name": "USN-2835-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2835-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"}, {"name": "[oss-security] 20151211 Re: CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"}, {"name": "78711", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/78711"}, {"name": "[oss-security] 20151209 Re: CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"}, {"name": "SSA:2016-123-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE"], "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255"}, {"name": "DSA-3435", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3435"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-7545", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2015:2515", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"}, {"name": "openSUSE-SU-2015:1968", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"}, {"name": "GLSA-201605-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201605-01"}, {"name": "[oss-security] 20151208 CVE for git issue - please use CVE-2015-7545", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"}, {"name": "[linux-kernel] 20151005 [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10", "refsource": "MLIST", "url": "https://lkml.org/lkml/2015/10/5/683"}, {"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt", "refsource": "CONFIRM", "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "1034501", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034501"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"}, {"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt", "refsource": "CONFIRM", "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"}, {"name": "USN-2835-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2835-1"}, {"name": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021", "refsource": "CONFIRM", "url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"}, {"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt", "refsource": "CONFIRM", "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"}, {"name": "[oss-security] 20151211 Re: CVE for git issue - please use CVE-2015-7545", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"}, {"name": "78711", "refsource": "BID", "url": "http://www.securityfocus.com/bid/78711"}, {"name": "[oss-security] 20151209 Re: CVE for git issue - please use CVE-2015-7545", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"}, {"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt", "refsource": "CONFIRM", "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"}, {"name": "SSA:2016-123-01", "refsource": "SLACKWARE", "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255"}, {"name": "DSA-3435", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3435"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:51:28.413Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:2515", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"}, {"name": "openSUSE-SU-2015:1968", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"}, {"name": "GLSA-201605-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201605-01"}, {"name": "[oss-security] 20151208 CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"}, {"name": "[linux-kernel] 20151005 [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lkml.org/lkml/2015/10/5/683"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "1034501", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034501"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"}, {"name": "USN-2835-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2835-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"}, {"name": "[oss-security] 20151211 Re: CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"}, {"name": "78711", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/78711"}, {"name": "[oss-security] 20151209 Re: CVE for git issue - please use CVE-2015-7545", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"}, {"name": "SSA:2016-123-01", "tags": ["vendor-advisory", "x_refsource_SLACKWARE", "x_transferred"], "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255"}, {"name": "DSA-3435", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3435"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7545", "datePublished": "2016-04-13T15:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2024-08-06T07:51:28.413Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git_project:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE0D05BB-1BFE-4BB9-A701-05F3E0109F85", "versionEndIncluding": "2.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "721C0D3E-F214-4347-896A-3F1866286029", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "DDC97E73-FE7D-40DD-BA8B-71E3CE3E5C6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "F2A0F218-26C6-444F-854C-2264B24D029C", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "65B4AE0E-5020-427B-9625-1EA3AC54ABD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "5766EF06-BEC1-4FD9-8F29-68324A7B94A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "CAA8483A-8404-4237-B306-BAE83980BD10", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "F871DDC6-BE12-41E5-A088-3FDC7F62D959", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "5E0F1049-E958-4453-B259-36A99167C3BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "DD2F404D-42FA-4F57-A046-2DDEDACADC93", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "9D16372D-7870-4F33-B53F-DEAF689EEE1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "F50C530F-6122-4E70-A718-3ACFFF18BC81", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "5B6048B6-9CAE-4B2C-AC69-8374DDA97A15", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "007EBCB7-19E7-46D9-8842-65F36CA7C0C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "7E414B6E-2783-4E96-B15B-1971E4C78EDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:git_project:git:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C57363C-6D6C-41F3-9D69-E38DDAE7C05B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule."}, {"lang": "es", "value": "El (1) git-remote-ext y (2) otros programas de ayuda remotos no especificados en Git en versiones anteriores a 2.3.10, 2.4.x en versiones anteriores a 2.4.10, 2.5.x en versiones anteriores a 2.5.4 y 2.6.x en versiones anteriores a 2.6.1 no restringen correctamente los protocolos permitidos, lo que podr\u00eda permitir a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de una URL en un (a) archivo .gitmodules u (b) otras fuentes desconocidas en un subm\u00f3dulo."}], "id": "CVE-2015-7545", "lastModified": "2018-10-30T16:27:35.843", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-13T15:59:01.320", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3435"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/78711"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034501"}, {"source": "secalert@redhat.com", "url": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2835-1"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"}, {"source": "secalert@redhat.com", "url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"}, {"source": "secalert@redhat.com", "url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"}, {"source": "secalert@redhat.com", "url": "https://lkml.org/lkml/2015/10/5/683"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201605-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:2561", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "git-0:1.8.3.1-6.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-12-08T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "git19-git-0:1.9.4-3.el6.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "git19-git-0:1.9.4-3.el6.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "git19-git-0:1.9.4-3.el6.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "git19-git-0:1.9.4-3.el6.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2015-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "git19-git-0:1.9.4-3.el7.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:2515", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "git19-git-0:1.9.4-3.el7.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-11-25T00:00:00Z"}], "bugzilla": {"description": "git: arbitrary code execution via crafted URLs", "id": "1269794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-77", "details": ["The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.", "A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user's system."], "mitigation": {"lang": "en:us", "value": "Avoid recursive cloning or updating of git submodules without checking the submodule URL. Non-recursive cloning is the default in git, so user needs to change this to become vulnerable (\"e.g. by specifying --recursive\")."}, "name": "CVE-2015-7545", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2015-10-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-7545\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7545"], "threat_severity": "Moderate", "upstream_fix": "git 2.6.1, git 2.3.10"}