CVE-2015-8968

HIGH

git-fastclone < 1.0.1 - Remote Code Execution via .gitmodules

Title source: llm

Description

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/104465

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/81433

Patch, Vendor Advisory x_refsource_misc

https://github.com/square/git-fastclone/pull/2

Scores

CVSS v3 8.8

EPSS 0.0284

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (3)

n/a/git-fastclone ruby gem All versions before 1.0.1 git-fastclone ruby gem All versions before 1.0.1

rubygems/git-fastclone 0 - 1.0.1RubyGems

squareup/git-fastclone < 1.0.1

Published Nov 03, 2016

Tracked Since Feb 18, 2026