CYBER NEWS

CVE-2018-11235 Git Vulnerability – Microsoft Releases Patch

An industry-wide security flaw identified as CVE-2018-11235 has been discovered in Git. The vulnerability can lead to arbitrary code execution when a user performs operations in a malicious repository.

CVE-2018-11235 Official Description

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Related Story: CVE-2018-3639: Spectre Variant 4 Vulnerability Affects the Linux Kernel

Microsoft recently reported that Git 2.17.1 and Git for Windows 2.17.1 (2) were just released and include the needed fix. The Visual Studio Team Services (VSTS) team takes security issues very seriously, and we encourage all users to update their Git clients as soon as possible to fix this vulnerability, Microsoft said.

Microsoft has blocked these types of malicious repositories from being pushed to VSTS. This action helps to ensure that VSTS can’t be exploited as vector for transmitting maliciously crafted repositories to vulnerable systems still prone to CVE-2018-11235.

Users running Git for Windows should immediately download the latest version 2.17.1 (2).
In addition, Visual Studio 2017 is also currently being patched and a hotfix will be available soon, Microsoft promised.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...