{"id":"CVE-2018-17456","details":"Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.","modified":"2026-04-16T06:15:50.524586376Z","published":"2018-10-06T14:29:00.300Z","related":["SUSE-SU-2018:3150-1","SUSE-SU-2018:4009-1","SUSE-SU-2018:4088-1","SUSE-SU-2018:4088-2","SUSE-SU-2018:4088-3","SUSE-SU-2020:1121-1","openSUSE-SU-2020:0598-1","openSUSE-SU-2024:10786-1","openSUSE-SU-2024:10943-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041811"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4311"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105523"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107511"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3408"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3541"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0316"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3791-1/"},{"type":"ADVISORY","url":"https://marc.info/?l=git&m=153875888916397&w=2"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Mar/30"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2018/10/06/3"},{"type":"FIX","url":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46"},{"type":"FIX","url":"https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45631/"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45548/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/git/git","events":[{"introduced":"4384e3cde2ce8ecd194202e171ae16333d241326"},{"fixed":"d0832b2847aa9669c09397c5639d7fe56abaf9fc"},{"introduced":"cb5918aa0d50f50e83787f65c2ddc3dcb10159fe"},{"fixed":"924c623e1c71b98da608f980a97f9730c021ba44"},{"introduced":"2512f15446149235156528dafbe75930c712b29e"},{"fixed":"27d05d1a1a62273aa3749f4d0ab8a126ef11ff66"},{"introduced":"468165c1d8a442994a825f3684528361727cd8c0"},{"fixed":"6e9e91e9cae74cd7feb9300563d40361b2b17dd2"},{"introduced":"53f9a3e157dbbc901a02ac2c73346d375e24978c"},{"fixed":"268fbcd172cdb306e8a3e7143cc16677c963d6cd"},{"introduced":"1d4361b0f344188ab5eec6dcea01f61a3a3a1670"},{"fixed":"cae598d9980661a978e2df4fb338518f7bf09572"},{"fixed":"1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404"},{"fixed":"a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46"}],"database_specific":{"versions":[{"introduced":"2.14.0"},{"fixed":"2.14.5"},{"introduced":"2.15.0"},{"fixed":"2.15.3"},{"introduced":"2.16.0"},{"fixed":"2.16.5"},{"introduced":"2.17.0"},{"fixed":"2.17.2"},{"introduced":"2.18.0"},{"fixed":"2.18.1"},{"introduced":"2.19.0"},{"fixed":"2.19.1"}]}}],"versions":["v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.15.0","v2.15.1","v2.15.2","v2.16.0","v2.16.1","v2.16.2","v2.16.3","v2.16.4","v2.17.0","v2.17.1","v2.18.0","v2.19.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17456.json","vanir_signatures_modified":"2026-04-11T12:27:57Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures":[{"id":"CVE-2018-17456-2df45b27","deprecated":false,"signature_version":"v1","target":{"file":"fsck.c","function":"fsck_gitmodules_fn"},"source":"https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404","digest":{"length":653,"function_hash":"280767856758277171414092295284574468787"},"signature_type":"Function"},{"source":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46","deprecated":false,"signature_version":"v1","target":{"file":"fsck.c","function":"fsck_gitmodules_fn"},"id":"CVE-2018-17456-6395f845","digest":{"length":464,"function_hash":"74687755865234334360883501852567920378"},"signature_type":"Function"},{"id":"CVE-2018-17456-f3198db8","digest":{"threshold":0.9,"line_hashes":["61187277327173978608487490955699247805","322478933031989535159482901598085121490","105640845193175585999041621410241546937","320863403475869972817195883113195046675","112056197659761133531585212977590424954","186663816293050747954242156545984267682","206904128480667008530182138888978574630","191728292391714541701984138567608141284"]},"signature_version":"v1","deprecated":false,"target":{"file":"fsck.c"},"source":"https://github.com/git/git/commit/1a7fd1fb2998002da6e9ff2ee46e1bdd25ee8404","signature_type":"Line"},{"source":"https://github.com/git/git/commit/a124133e1e6ab5c7a9fef6d0e6bcb084e3455b46","deprecated":false,"signature_version":"v1","id":"CVE-2018-17456-ff58f248","digest":{"threshold":0.9,"line_hashes":["217918380924176957102810654075341599196","117753730928290908950277960920988579234","238564133705298630809711888480831625193","40793998524149642212331206026820467726","131744534305363149181561143635993325041","118269845443441089115293841204093565177","154178865154027729581994095520201329671","45981377794252269677761437338334550314"]},"target":{"file":"fsck.c"},"signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}