Home > Cyber News > CVE-2018-11235 Git Vulnerability – Microsoft Releases Patch
CYBER NEWS

CVE-2018-11235 Git Vulnerability – Microsoft Releases Patch

by   |  Last Update:  |  0 Comments  

An industry-wide security flaw identified as CVE-2018-11235 has been discovered in Git. The vulnerability can lead to arbitrary code execution when a user performs operations in a malicious repository.

CVE-2018-11235 Official Description

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Related Story: CVE-2018-3639: Spectre Variant 4 Vulnerability Affects the Linux Kernel

Microsoft recently reported that Git 2.17.1 and Git for Windows 2.17.1 (2) were just released and include the needed fix. The Visual Studio Team Services (VSTS) team takes security issues very seriously, and we encourage all users to update their Git clients as soon as possible to fix this vulnerability, Microsoft said.

Microsoft has blocked these types of malicious repositories from being pushed to VSTS. This action helps to ensure that VSTS can’t be exploited as vector for transmitting maliciously crafted repositories to vulnerable systems still prone to CVE-2018-11235.

Users running Git for Windows should immediately download the latest version 2.17.1 (2).
In addition, Visual Studio 2017 is also currently being patched and a hotfix will be available soon, Microsoft promised.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
  2. July 2018 Patch Tuesday Fixes CVE-2018-8281, Microsoft Office Bugs Another set of patches has been rolled by Microsoft in...
  3. PHP Git Server Hit in a Cyberattack The official PHP Git server was recently compromised in a...
  4. Cisco Bugs CVE-2018-0151, CVE-2018-171, CVE-2018-015. Patch Now! Three critical vulnerabilities have found in Cisco products. More specifically,...
  5. Adobe Releases Second Patch for CVE-2019-7089 After First One Failed CVE-2019-7089 is a critical zero-day vulnerability in Adobe Reader which...
  6. CVE-2018-8414, CVE-2018-8373 Fixed in August 2018 Patch Tuesday Microsoft has released their latest wave of updates in the...
  7. Windows JScript Component Vulnerability Is Yet to Be Patched A flaw has been discovered in Windows’s JScript component. The...
  8. Google, Microsoft Bugs Top the 20 Most Prevalent Enterprise Vulnerabilities Cybersecurity firm Tenable just released their Vulnerability Intelligence Report which...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree