Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2015-8968

Good to know:

icon

Date: November 3, 2016

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.

Language: Ruby

Severity Score

Related Resources (8)

https://github.com/square/git-fastclone
http://www.securityfocus.com/bid/81433
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git-fastclone/CVE-2015-8968.yml
https://github.com/square/git-fastclone/pull/2
https://web.archive.org/web/20200227213019/http://www.securityfocus.com/bid/81433
https://nvd.nist.gov/vuln/detail/CVE-2015-8968
https://hackerone.com/reports/104465
https://www.mend.io/vulnerability-database/CVE-2015-8968

Severity Score

Weakness Type (CWE)

Command Injection

CWE-77

Top Fix

icon

Upgrade Version

Upgrade to version 1.0.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): COMPLETE
Integrity (I): COMPLETE
Availability (A): COMPLETE
Additional information:

Do you need more information?

Contact Us