Recently, a security researcher found a potential remote code execution vulnerability (CVE-2018-11235) in Git. The vulnerability stems from the fact that when using git clone, there is no sufficient authentication for submodule folder naming when the user is using ‘git clone –recurse-submodules‘, an attacker could remotely execute arbitrary code by constructing a malicious .gitmodules file.
Affected Versions
- Git version < 2.13.7
- Git version 2.14.x < 2.14.4
- Git version 2.15.x < 2.15.2
- Git version 2.16.x < 2.16.4
- Git version 2.17.x < 2.17.1
Unaffected Version
- Git version 2.14.4
- Git version 2.15.2
- Git version 2.16.4
- Git version 2.17.1
Solution
The official version has already released a new version to fix the above vulnerabilities. The affected users should download and update the protection as soon as possible.
