An industry-wide security flaw identified as CVE-2018-11235 has been discovered in Git. The vulnerability can lead to arbitrary code execution when a user performs operations in a malicious repository.
CVE-2018-11235 Official Description
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
Microsoft recently reported that Git 2.17.1 and Git for Windows 2.17.1 (2) were just released and include the needed fix. The Visual Studio Team Services (VSTS) team takes security issues very seriously, and we encourage all users to update their Git clients as soon as possible to fix this vulnerability, Microsoft said.
Microsoft has blocked these types of malicious repositories from being pushed to VSTS. This action helps to ensure that VSTS can’t be exploited as vector for transmitting maliciously crafted repositories to vulnerable systems still prone to CVE-2018-11235.
Users running Git for Windows should immediately download the latest version 2.17.1 (2).
In addition, Visual Studio 2017 is also currently being patched and a hotfix will be available soon, Microsoft promised.