GSD-2015-7545
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-7545",
"description": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.",
"id": "GSD-2015-7545",
"references": [
"https://www.suse.com/security/cve/CVE-2015-7545.html",
"https://www.debian.org/security/2016/dsa-3435",
"https://access.redhat.com/errata/RHSA-2015:2561",
"https://access.redhat.com/errata/RHSA-2015:2515",
"https://ubuntu.com/security/CVE-2015-7545",
"https://alas.aws.amazon.com/cve/html/CVE-2015-7545.html",
"https://linux.oracle.com/cve/CVE-2015-7545.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-7545"
],
"details": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.",
"id": "GSD-2015-7545",
"modified": "2023-12-13T01:20:01.733995Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7545",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2015:2515",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"
},
{
"name": "openSUSE-SU-2015:1968",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"
},
{
"name": "GLSA-201605-01",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201605-01"
},
{
"name": "[oss-security] 20151208 CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"
},
{
"name": "[linux-kernel] 20151005 [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10",
"refsource": "MLIST",
"url": "https://lkml.org/lkml/2015/10/5/683"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt",
"refsource": "CONFIRM",
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "1034501",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034501"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt",
"refsource": "CONFIRM",
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"
},
{
"name": "USN-2835-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2835-1"
},
{
"name": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021",
"refsource": "CONFIRM",
"url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt",
"refsource": "CONFIRM",
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"
},
{
"name": "[oss-security] 20151211 Re: CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"
},
{
"name": "78711",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/78711"
},
{
"name": "[oss-security] 20151209 Re: CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt",
"refsource": "CONFIRM",
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"
},
{
"name": "SSA:2016-123-01",
"refsource": "SLACKWARE",
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.533255"
},
{
"name": "DSA-3435",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3435"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.3.9",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:git_project:git:2.4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-7545"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-2835-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2835-1"
},
{
"name": "RHSA-2015:2515",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2515.html"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt"
},
{
"name": "openSUSE-SU-2015:1968",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt"
},
{
"name": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021",
"refsource": "CONFIRM",
"tags": [],
"url": "https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1269794"
},
{
"name": "[linux-kernel] 20151005 [ANNOUNCE] Git v2.6.1, v2.5.4, v2.4.10 and v2.3.10",
"refsource": "MLIST",
"tags": [],
"url": "https://lkml.org/lkml/2015/10/5/683"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt"
},
{
"name": "[oss-security] 20151208 CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2015/12/08/5"
},
{
"name": "[oss-security] 20151211 Re: CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2015/12/11/7"
},
{
"name": "[oss-security] 20151209 Re: CVE for git issue - please use CVE-2015-7545",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2015/12/09/8"
},
{
"name": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt"
},
{
"name": "GLSA-201605-01",
"refsource": "GENTOO",
"tags": [],
"url": "https://security.gentoo.org/glsa/201605-01"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"name": "78711",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/78711"
},
{
"name": "SSA:2016-123-01",
"refsource": "SLACKWARE",
"tags": [],
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.533255"
},
{
"name": "1034501",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1034501"
},
{
"name": "DSA-3435",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2016/dsa-3435"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2018-10-30T16:27Z",
"publishedDate": "2016-04-13T15:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…